On Tue, May 18, 2010 at 8:55 AM, B/K Walker <[email protected]> wrote: > I've been struggling with cleaning up the notifications from ossec, I've had > some success but for whatever reason I can't seem to get a grip on it > completely. > > I've got several rules in local_rules.xml that filter out unimportant stuff > (windows really likes to twiddle registry keys, in particular service Enum). > Most seem to work, however some do not even though I use the same syntax. > > Here's an example, I get smart HDD test syslog events from my NAS box: > > Received From: fatty->/var/log/messages > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > Portion of the log(s): > > May 18 00:02:06 fatty qlogd[3762]: event log: Users: System, Source IP: > 127.0.0.1, Computer name: localhost, Content: [HDD SMART] HDD 1 Quick Test > result: Completed without error. > > > So I added > > <rule id="100009" level="0"> > <if_sid>1002</if_sid> > <match>'Completed without error'</match> > <match>'zmc'</match> > <description>Ignoring HDD Smart test okay and zoneminder</description> > </rule> > > > It's in a group and parses fine of course. > > I still get the errors. I've read in some article/howto that it's best to > avoid using regular expressions too much, perhaps there's something wrong > with my <match>? > > > -- > A banker is a fellow who lends you his umbrella when the sun is shining > and wants it back the minute it begins to rain. > -- Mark Twain >
The second <match> doesn't appear in the message. What is that second match trying to match? I also don't think you need the single quotes in the match fields. If you don't mind telling us, what type of NAS is that log from? And if you have any similar messages (especially disk failures or whatnot), we'd love to see them. We can help with rules creation.
