Hello,
Our log rotation occurs every night and generates a lot of 40101
alerts because of an su to nobody. So, I added the following rule to
local_rules.xml:
<rule id="104011" level="0">
<if_sid>40101</if_sid>
<user>nobody</user>
<time>2:00-2:01</time>
<match>^(to nobody) root on none</match>
<description>Ignore "su to nobody" by log rotation jobs nightly
between 2:00 am and 2:01 am</description>
</rule>
I have tested this rule with ossec-logtest and sample events from our
logs. Here's a sample event:
Jun 30 02:00:02 machine_name su: (to nobody) root on none
My 104011 rule only works if I remove the <time></time> line. I have
tried every permutation I can think of such as adding a space before
and after the dash and using am/pm notation instead of 24 hour clock
notation. I have even increased the time range to 2:00-3:00 and still
no luck.
The date and time are supposed to be extracted by the predecoder so I
can't see that any su decoder changes I have made would make a
difference.
Anyone got any ideas?
Thanks,
tm
