Re: [ossec-list] local rules ignored

Mon, 27 Sep 2010 13:10:42 -0700 

Use ossec-logtest and a sample log event. Make sure the srcip is
getting pulled out of the message properly.

On Mon, Sep 27, 2010 at 1:46 PM, Joe S <[email protected]> wrote:
> I'm running OSSEC 2.4.1 on my agents (linux) and server (linux)
>
> I have local rules file that look like this:
>
>
> <group name="local,syslog,">
>
>  <rule id="100001" level="0">
>    <if_sid>553</if_sid>
>    <srcip>192.168.1.1</srcip>
>    <description>Ignore deleted log messages from server1</description>
>  </rule>
>
>  <rule id="100002" level="0">
>    <if_sid>1003</if_sid>
>    <srcip>192.168.1.2</srcip>
>    <description>Ignore size too large messages from server2</description>
>  </rule>
>
>  <rule id="100003" level="0">
>    <if_sid>5104</if_sid>
>    <srcip>192.168.1.3</srcip>
>    <description>Ignore promiscuous mode messages from server3</description>
>  </rule>
>
>
> But I'm still getting these alerts.
>
> How can I troubleshoot this?
>
> I've restarted OSSEC multiple times.
>

Reply via email to