On Tue, 18 May 2010 09:14:51 -0500 Michael Starks <[email protected]> wrote: > > On Tue, 18 May 2010 08:55:47 -0400, B/K Walker <[email protected]> > wrote: > > Here's an example, I get smart HDD test syslog events from my NAS > > box: > > > > Received From: fatty->/var/log/messages > > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the > > system." Portion of the log(s): > > > > May 18 00:02:06 fatty qlogd[3762]: event log: Users: System, Source > > IP: 127.0.0.1, Computer name: localhost, Content: [HDD SMART] HDD 1 > > Quick > Test > > result: Completed without error. > > > > > > So I added > > > > <rule id="100009" level="0"> > > <if_sid>1002</if_sid> > > <match>'Completed without error'</match> > > <match>'zmc'</match> > > <description>Ignoring HDD Smart test okay and > > zoneminder</description> </rule> > > Hello B/K, > > The match tag uses the match library, which matches mostly on simple > strings. See here: http://www.ossec.net/wiki/Know_How:Regex_Readme > > In your case, what is being matched is: 'Completed without error''zmc' > > That literal string would have to be in the log to match. > > You want a rule that looks more like this: > > <rule id="100009" level="0"> > <if_sid>1002</if_sid> > <match>Completed without error</match> > <description>Ignoring HDD Smart test okay and > zoneminder</description> </rule> > > If you want to match one or the other of the two strings, you can > write it this way: > > <rule id="100009" level="0"> > <if_sid>1002</if_sid> > <match>Completed without error|zmc</match> > <description>Ignoring HDD Smart test okay and > zoneminder</description> </rule> > > You can make it more specific by matching on things like srcip, as > long as it's decoded from the log. > > bin/ossec-logtest will help you to write a rule that works, so I > recommend using that to try different things. > > Make sense?
Thanks, that'll be a help. I'll read up on the match library....
