I'm running OSSEC 2.4.1 on my agents (linux) and server (linux)
I have local rules file that look like this:
<group name="local,syslog,">
<rule id="100001" level="0">
<if_sid>553</if_sid>
<srcip>192.168.1.1</srcip>
<description>Ignore deleted log messages from server1</description>
</rule>
<rule id="100002" level="0">
<if_sid>1003</if_sid>
<srcip>192.168.1.2</srcip>
<description>Ignore size too large messages from server2</description>
</rule>
<rule id="100003" level="0">
<if_sid>5104</if_sid>
<srcip>192.168.1.3</srcip>
<description>Ignore promiscuous mode messages from server3</description>
</rule>
But I'm still getting these alerts.
How can I troubleshoot this?
I've restarted OSSEC multiple times.
