All,
I've created a custom rule in local_rules.xml to not send literally thousands
of e-mail alerts when a connection to a specific machine can't be made, and
it's not working. I'm hoping someone here can spot what I've done wrong and
provide a correction.
Here's the rule:
<!-- Ignore the thousands (literally!) of alerts about "Dimension" -->
<rule id="103010" level="0">
<if_sid>1003</if_sid>
<hostname>Server19/server19</hostname>
<hostname>Server26/server26</hostname>
<match>DIMENSION</match>
<options>no_email_alert</options>
<description>Failed connection to Dimension (every minute)</description>
</rule>
When I originally had only one <hostname>server</hostname> entry, it was
working fine. I'm guessing that even though OSSEC doesn't complain if you have
multiple entries, it doesn't honor it. I've read the manual section:
hostname Any hostname Any hostname (decoded as the syslog hostname).
and it seems that only one hostname is allowed, since it doesn't specify how to
deliminate multiple entries.
Should I just write another rule with the second servername?
Thanks,
Kevin
This message may contain confidential or proprietary information and is
intended solely for the individual(s) to whom it is addressed. If you are not
a named addressee you should not disseminate, distribute or copy this e-mail or
act upon the information contained herein. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and delete
this e-mail from your system.
