Thanks Peter and Daniel. Yeah I should probably reconfigure syslog
eventually. For now I'm also trying to increase my understanding how rules
get triggered. It looks like your suggestion works for me, to add an
<if_level> element in addition to <hostname>. My first try was the
following addition to local_rules.xml, which did *not* "undo" alerts that
had already been triggered for myhost.mydomain.com:
<rule id="100060" level="0">
<description>Ignore localfile entries from myhost.mydomain.com
.</description>
<hostname>myhost.mydomain.com</hostname>
</rule>
but this one does work:
<rule id="100060" level="0">
<if_level>1</if_level>
<description>Ignore localfile entries from myhost.mydomain.com
.</description>
<hostname>myhost.mydomain.com</hostname>
</rule>
Was I going to need to add of the <if_*> rules to get it to fire? I noticed
an if_sid rule could get it to work also, but then it seemed I was going to
have to add one new rule for every existing rule. Why isn't <hostname> by
itself enough to get the rule to match?
-Eric
On Mon, Nov 3, 2008 at 1:45 PM, Daniel Cid <[EMAIL PROTECTED]> wrote:
>
> Hi Eric,
>
> If you use the <hostname> tag as Peter said, it will work properly
> (you can probably add <if_level>1</if_level> to
> make sure it is inspected for every event). However, OSSEC will still
> waste time processing this events, so it
> might be a better idea to configure your syslog server to log every
> remote syslog event from this host
> to a separate file that OSSEC is not monitoring.
>
> Hope it helps.
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
>
> On Sat, Nov 1, 2008 at 10:34 PM, Eric Wemhoff <[EMAIL PROTECTED]> wrote:
> > I've been trying and searching the manual and the forums, and I'm sure
> > there's a simple solution, but I haven't been able to figure it out yet..
> >
> > I have an agent machine sending log msgs to a server machine via ossec's
> > 'secure' connection. Ossec reports alerts based on those (working
> great).
> >
> > The agent machine also remote-syslog's those messages to the server,
> which
> > are received by syslogd and saved in /var/log/*.log on the server
> (because I
> > want them saved for posterity). So now I get duplicate versions of every
> > log-based alert, which is expected, since the log msgs come across the
> > secure connection, and they also show up in the local log files, which
> ossec
> > is also inspecting.
> >
> > But I don't want duplicate alerts. How can I tell ossec to not consider
> all
> > log messages in the local log files that come from the agent, ie, that
> have
> > agent_hostname as hostname? I've made various attempts to add elements
> to
> > local_rules.xml, but no luck so far.
> >
> > -Eric
> >
> >
>
