Hello
I want to write a local rule which ignores the messages from a certain
system and process. For this i have written:
<rule id="100001" level="0">
<if_sid>1002</if_sid>
<!--<program_name>slapd</program_name>-->
<hostname>xxx</hostname>
<program_name>slapd</program_name>
<match>ber_get_next</match>
<description>ignore rule for slapd error on xxx
(ber_get_next)</description>
</rule>
I have't changed anything else on my ossec config, but if i use
<program_name> the rule isn't ignored. If i leave it out, then i don't
get any messages.
What is the problem here (in the syslog there is the correct string
written -> slapd)?
Greetings
Thomas
--
Thomas Stather, Fraunhofer SIT
Abteilung PSS
Zimmer 007
Rheinstrasse 75, 64295 Darmstadt, Germany
Tel: +49 (0) 6151 86960058
http://www.sit.fraunhofer.de
begin:vcard
fn:Thomas Stather
n:Stather;Thomas
org:Fraunhofer SIT;PSS
adr;quoted-printable:;;Rheinstra=C3=9Fe 75;Darmstadt;Hessen;64295;Deutschland
tel;work:+49615168960058
url:www.sit.fraunhofer.de
version:2.1
end:vcard
