[ossec-list] Re: problem with mysql

Mon, 31 Mar 2008 06:10:10 -0700 

Dear Siamak

Ignoring of rule can be easily done on the server. Make sure you make
the rule with alert level 0(means ignore) in the local_rules.xml (on
server). For your case

<rule id="100101" level="0"> <!--you can define your own rule id make
--!>
<if_sid>50105</if_sid>
<match>pattern in event you want to ignore</match>*
<description>Events ignored</description>*
 </rule>

Regards
Gagan


On Mar 28, 10:52 am, [EMAIL PROTECTED] wrote:
> Thanks for the information, however, I guess I receive too many alerts
> on this!
> How can I ignore just this Rule Id?
> Should I do it on the server? or it can be done on agent?
>
> Cheers,
>
> siamak
>
> On Mar 25, 11:36 pm, "List Subscriptions" <[EMAIL PROTECTED]>
> wrote:
>
>
>
> > What's the issue? That's normal since ossec-wui displays all alert
> > levels and with a web app tied to a MySQL db for example you're going
> > to have frequent auth success for web app DB calls.
>
> > mysql_rules.xml:
>
> > <rule id="50105" level="3">
> >     <if_sid>50100</if_sid>
> >     <regex>^MySQL log: \d+ \S+ \d+ Connect</regex>
> >     <description>Database authentication success.</description>
> >     <group>authentication_success,</group>
> >   </rule>
>
> > cheers,
>
> > -cnk-
>
> > On Tue, Mar 25, 2008 at 3:24 AM,  <[EMAIL PROTECTED]> wrote:
>
> > >  Hi
>
> > >  I have configured an ossec agent to read MySQL logs(both error log and
> > >  query log), however, when I add the lines for  the "generic query
> > >  log"  to the agent ossec.conf I continuously receive  "Database
> > >  notification success" on  ossec-wui!
> > >  Any help is appreciated.
>
> > >  -siamak
>
> > >  2008 Mar 20 17:32:42  Rule Id: 50105  level: 3
> > >  Location: (zorba) xx.xx.xx.xx->/var/lib/mysql/onion.log
> > >  Database authentication success.
> > >  MySQL log: 080320 16:32:41 7385 Connect [EMAIL PROTECTED] on
>
> > >  2008 Mar 20 17:32:42 Rule Id: 50105 level: 3
> > >  Location: (zorba) xx.xx.xx.xx->/var/lib/mysql/onion.log
> > >  Database authentication success.
> > >  MySQL log: 080320 16:32:40 7384 Connect [EMAIL PROTECTED] on
>
> > >  2008 Mar 20 17:32:40 Rule Id: 50105 level: 3
> > >  Location: (zorba) xx.xx.xx.xx->/var/lib/mysql/onion.log
> > >  Database authentication success.
> > >  MySQL log: 080320 16:32:39 7383 Connect [EMAIL PROTECTED] on
>
> > >  ....- Hide quoted text -
>
> - Show quoted text -

Reply via email to