On Tue, 18 May 2010 10:51:36 -0400 "dan (ddp)" <[email protected]> wrote: > On Tue, May 18, 2010 at 8:55 AM, B/K Walker <[email protected]> wrote: > > I've been struggling with cleaning up the notifications from ossec, > > I've had some success but for whatever reason I can't seem to get a > > grip on it completely. > > > > I've got several rules in local_rules.xml that filter out > > unimportant stuff (windows really likes to twiddle registry keys, > > in particular service Enum). Most seem to work, however some do > > not even though I use the same syntax. > > > > Here's an example, I get smart HDD test syslog events from my NAS > > box: > > > > Received From: fatty->/var/log/messages > > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the > > system." Portion of the log(s): > > > > May 18 00:02:06 fatty qlogd[3762]: event log: Users: System, Source > > IP: 127.0.0.1, Computer name: localhost, Content: [HDD SMART] HDD 1 > > Quick Test result: Completed without error. > > > > > > So I added > > > > <rule id="100009" level="0"> > > <if_sid>1002</if_sid> > > <match>'Completed without error'</match> > > <match>'zmc'</match> > > <description>Ignoring HDD Smart test okay and > > zoneminder</description> </rule> > > > > > > It's in a group and parses fine of course. > > > > I still get the errors. I've read in some article/howto that it's > > best to avoid using regular expressions too much, perhaps there's > > something wrong with my <match>? > > > > > > -- > > A banker is a fellow who lends you his umbrella when the sun is > > shining and wants it back the minute it begins to rain. > > -- Mark Twain > > > > The second <match> doesn't appear in the message. What is that second > match trying to match? > I also don't think you need the single quotes in the match fields. > If you don't mind telling us, what type of NAS is that log from? And > if you have any similar messages (especially disk failures or > whatnot), we'd love to see them. We can help with rules creation.
Judging by my other rules, it seems to behave like the <match> is an 'or' situation. I've got one really long one for matching a dozen or so windows registry updates. It also didn't work when it only had the one match.. I added the single quotes as I saw them in another example, and they seemed to fix a problem I was having with matches like these: <match>'\Services\vmx86\Parameters'</match> <match>'\Services\iphlpsvc'</match> <match>'\Services\RTL8167\Enum'</match> So I've been using single quotes on everything ;-). I'm starting to think I need to read the code to understand how to use these properly, I've been so far unable to find detailed documentation on the subject and at least some of the articles I've seen are outdated. The NAS box is a QNAP 419P. I don't have any failures (yet), but presumably those would hit the rule anyway. The second match is to filter errors with zoneminder (security camera software) as the camera's I'm using seem to lose their wifi connection on occasion and I'm not really worried about it as it'll sync back up. Does it help to look at the raw syslog entries rather than the report from ossec?
