On Tue, 18 May 2010 08:55:47 -0400, B/K Walker <[email protected]> wrote: > Here's an example, I get smart HDD test syslog events from my NAS box: > > Received From: fatty->/var/log/messages > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > Portion of the log(s): > > May 18 00:02:06 fatty qlogd[3762]: event log: Users: System, Source IP: > 127.0.0.1, Computer name: localhost, Content: [HDD SMART] HDD 1 Quick Test > result: Completed without error. > > > So I added > > <rule id="100009" level="0"> > <if_sid>1002</if_sid> > <match>'Completed without error'</match> > <match>'zmc'</match> > <description>Ignoring HDD Smart test okay and zoneminder</description> > </rule>
Hello B/K, The match tag uses the match library, which matches mostly on simple strings. See here: http://www.ossec.net/wiki/Know_How:Regex_Readme In your case, what is being matched is: 'Completed without error''zmc' That literal string would have to be in the log to match. You want a rule that looks more like this: <rule id="100009" level="0"> <if_sid>1002</if_sid> <match>Completed without error</match> <description>Ignoring HDD Smart test okay and zoneminder</description> </rule> If you want to match one or the other of the two strings, you can write it this way: <rule id="100009" level="0"> <if_sid>1002</if_sid> <match>Completed without error|zmc</match> <description>Ignoring HDD Smart test okay and zoneminder</description> </rule> You can make it more specific by matching on things like srcip, as long as it's decoded from the log. bin/ossec-logtest will help you to write a rule that works, so I recommend using that to try different things. Make sense? -- Michael Starks [I] Immutable Security http://www.immutablesecurity.com Information Security, Privacy and Personal Liberty
