-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
try looking at the specific log files for the rules mentioned in the
alerts. For instance if you look in rules/ossec_rules.xml you will find
rule 502 (the alert level 5 quoted below) and notice:
<rule id="502" level="3">
<if_sid>500</if_sid>
<options>alert_by_email</options>
<match>Ossec started</match>
<description>Ossec server started.</description>
</rule>
The rule specifically states to send an e-mail regardless of your
configuration. There are some syslog rules like this (at alert level 2)
that will send e-mail. You probably want to write some custom rules to
either override or extend this behavior by setting options to not send
e-mail. Hope this helps.
Cheers,
Justin C. Klein Keane
Sr. Information Security Specialist
Information Security and Unix Systems
University of Pennsylvania
School of Arts and Sciences
3600 Market St.
Room 520
Philadelphia, PA 19104
215.898.0236(p)
215.573.3166(f)
The digital signature on this e-mail can be confirmed using the public
key at https://www.sas.upenn.edu/computing/user/3.
On 06/22/2010 10:11 AM, Michael Whitehead wrote:
> Hello, each time a go to restart my Ossec, I get a notification
>
>
> Received From: ossec->ossec-monitord
> Rule: 502 fired (level 3) -> "Ossec server started."
> Portion of the log(s):
>
> ossec: Ossec started.
>
> i also get a level 5 notifications:
>
> OSSEC HIDS Notification.
> 2010 Jun 21 10:03:25
>
> Received From: ossec->/var/log/secure
> Rule: 5710 fired (level 5) -> "Attempt to login using a non-existent user"
> Portion of the log(s):
>
> Jun 21 10:03:24 ossec sshd[18609]: Failed password for invalid user
> jimbo from 130.68.4.108 port 50939 ssh2
>
>
>
> --END OF NOTIFICATION
>
>
>
> OSSEC HIDS Notification.
> 2010 Jun 21 10:03:27
>
> Received From: ossec->/var/log/secure
> Rule: 5504 fired (level 5) -> "Attempt to login with an invalid user."
> Portion of the log(s):
>
> Jun 21 10:03:26 ossec sshd[18609]: pam_unix(sshd:auth): check pass; user
> unknown
>
>
>
> --END OF NOTIFICATION
>
>
>
> OSSEC HIDS Notification.
> 2010 Jun 21 10:03:27
>
> Received From: ossec->/var/log/secure
> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
> Portion of the log(s):
>
> i have everything set where it should not send me notifications for
> anything under level 7. and i have
> tried the different suggestions with no luck. would the best choice of
> action be copy these rules, and
> then put them into the local_rules.xml files and then add in the do not
> email?
>
> Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkwiKRMACgkQR4a3EW2yjlTWBwCfe+fyLA/Dp91aGdZrD6DvgrmK
9hUAn1ApGae+kLDqdp0eDGPjW/2nlcJ0
=vmbP
-----END PGP SIGNATURE-----
