Hi everyone,
I put the following in local_rules.xml:
<rule id="100050" level="0">
<if_sid>1002</if_sid>
<regex>^dovecot\.*Corrupted index cache file</regex>
<description>Ignore dovecot index corruption messages</description>
</rule>
And I still get the following. What am I doing wrong?
----- Forwarded message from OSSEC HIDS -----
To: [EMAIL PROTECTED]
From: OSSEC HIDS <[EMAIL PROTECTED]>
Date: Sat, 01 Nov 2008 10:39:37 -0700
Subject: OSSEC Notification - satyr - Alert level 2
OSSEC HIDS Notification.
2008 Nov 01 10:39:19
Received From: satyr->/var/log/maillog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
Nov 1 10:39:18 satyr dovecot: IMAP(kayvan): Corrupted index cache file
/home/kayvan/mail/.imap/Deleted Messages/dovecot.index.cache: invalid record
size
