Thanks for the information, however, I guess I receive too many alerts on this! How can I ignore just this Rule Id? Should I do it on the server? or it can be done on agent?
Cheers, siamak On Mar 25, 11:36 pm, "List Subscriptions" <[EMAIL PROTECTED]> wrote: > What's the issue? That's normal since ossec-wui displays all alert > levels and with a web app tied to a MySQL db for example you're going > to have frequent auth success for web app DB calls. > > mysql_rules.xml: > > <rule id="50105" level="3"> > <if_sid>50100</if_sid> > <regex>^MySQL log: \d+ \S+ \d+ Connect</regex> > <description>Database authentication success.</description> > <group>authentication_success,</group> > </rule> > > cheers, > > -cnk- > > On Tue, Mar 25, 2008 at 3:24 AM, <[EMAIL PROTECTED]> wrote: > > > Hi > > > I have configured an ossec agent to read MySQL logs(both error log and > > query log), however, when I add the lines for the "generic query > > log" to the agent ossec.conf I continuously receive "Database > > notification success" on ossec-wui! > > Any help is appreciated. > > > -siamak > > > 2008 Mar 20 17:32:42 Rule Id: 50105 level: 3 > > Location: (zorba) xx.xx.xx.xx->/var/lib/mysql/onion.log > > Database authentication success. > > MySQL log: 080320 16:32:41 7385 Connect [EMAIL PROTECTED] on > > > 2008 Mar 20 17:32:42 Rule Id: 50105 level: 3 > > Location: (zorba) xx.xx.xx.xx->/var/lib/mysql/onion.log > > Database authentication success. > > MySQL log: 080320 16:32:40 7384 Connect [EMAIL PROTECTED] on > > > 2008 Mar 20 17:32:40 Rule Id: 50105 level: 3 > > Location: (zorba) xx.xx.xx.xx->/var/lib/mysql/onion.log > > Database authentication success. > > MySQL log: 080320 16:32:39 7383 Connect [EMAIL PROTECTED] on > > > ....
