srcip doesn't get pulled out. hostname does.
i changed the rule from srcip to hostname, but im still getting the alerts. On Mon, Sep 27, 2010 at 1:10 PM, dan (ddp) <[email protected]> wrote: > Use ossec-logtest and a sample log event. Make sure the srcip is > getting pulled out of the message properly. > > On Mon, Sep 27, 2010 at 1:46 PM, Joe S <[email protected]> wrote: >> I'm running OSSEC 2.4.1 on my agents (linux) and server (linux) >> >> I have local rules file that look like this: >> >> >> <group name="local,syslog,"> >> >> <rule id="100001" level="0"> >> <if_sid>553</if_sid> >> <srcip>192.168.1.1</srcip> >> <description>Ignore deleted log messages from server1</description> >> </rule> >> >> <rule id="100002" level="0"> >> <if_sid>1003</if_sid> >> <srcip>192.168.1.2</srcip> >> <description>Ignore size too large messages from server2</description> >> </rule> >> >> <rule id="100003" level="0"> >> <if_sid>5104</if_sid> >> <srcip>192.168.1.3</srcip> >> <description>Ignore promiscuous mode messages from server3</description> >> </rule> >> >> >> But I'm still getting these alerts. >> >> How can I troubleshoot this? >> >> I've restarted OSSEC multiple times. >> >
