Try this:
<rule id="100050" level="0">
<if_sid>1002</if_sid>
<program_name>^dovecot</program_name>
<match>Corrupted index cache file </match>
<options>no_email_alert</options>
<description>Ignore dovecot index corruption messages</description>
On Sat, 2008-11-01 at 13:49 -0700, Kayvan A. Sylvan wrote:
> Hi everyone,
>
> I put the following in local_rules.xml:
>
> <rule id="100050" level="0">
> <if_sid>1002</if_sid>
> <regex>^dovecot\.*Corrupted index cache file</regex>
> <description>Ignore dovecot index corruption messages</description>
> </rule>
>
> And I still get the following. What am I doing wrong?
>
> ----- Forwarded message from OSSEC HIDS -----
>
> To: [EMAIL PROTECTED]
> From: OSSEC HIDS <[EMAIL PROTECTED]>
> Date: Sat, 01 Nov 2008 10:39:37 -0700
> Subject: OSSEC Notification - satyr - Alert level 2
>
> OSSEC HIDS Notification.
> 2008 Nov 01 10:39:19
>
> Received From: satyr->/var/log/maillog
> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
> Portion of the log(s):
>
> Nov 1 10:39:18 satyr dovecot: IMAP(kayvan): Corrupted index cache file
> /home/kayvan/mail/.imap/Deleted Messages/dovecot.index.cache: invalid record
> size
>
----------------------------------------------------
Virus Free -- Scanned By MailSecurity
----------------------------------------------------
This email message is for the sole use of the intended recipient(s) and may
contain confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply email and destroy all copies of
the original message. Any views expressed in this message are those of the
author, except where the sender specifically states them to be the views of
BBG, Inc.
