Hi Thomas, Can you show the log you are trying to ignore? The program_name option only works if the message is in the proper syslog format (and we are very strict when parsing it). If you use ossec-logtest you can see how OSSEC is parsing the log and if the program_name is available.
Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Tue, Jul 28, 2009 at 10:04 AM, Thomas Stather<[email protected]> wrote: > Hello > > I want to write a local rule which ignores the messages from a certain > system and process. For this i have written: > > > <rule id="100001" level="0"> > <if_sid>1002</if_sid> > <!--<program_name>slapd</program_name>--> > <hostname>xxx</hostname> > <program_name>slapd</program_name> > <match>ber_get_next</match> > <description>ignore rule for slapd error on xxx > (ber_get_next)</description> > </rule> > > I have't changed anything else on my ossec config, but if i use > <program_name> the rule isn't ignored. If i leave it out, then i don't > get any messages. > What is the problem here (in the syslog there is the correct string > written -> slapd)? > > > Greetings > > Thomas > > -- > Thomas Stather, Fraunhofer SIT > Abteilung PSS > Zimmer 007 > Rheinstrasse 75, 64295 Darmstadt, Germany > Tel: +49 (0) 6151 86960058 > http://www.sit.fraunhofer.de > >
