I found the problem. When using multiple hostnames, I needed to use the "|" (pipe)
On Mon, Sep 27, 2010 at 11:11 PM, Joe S <[email protected]> wrote: > srcip doesn't get pulled out. > > hostname does. > > i changed the rule from srcip to hostname, but im still getting the alerts. > > > > On Mon, Sep 27, 2010 at 1:10 PM, dan (ddp) <[email protected]> wrote: >> Use ossec-logtest and a sample log event. Make sure the srcip is >> getting pulled out of the message properly. >> >> On Mon, Sep 27, 2010 at 1:46 PM, Joe S <[email protected]> wrote: >>> I'm running OSSEC 2.4.1 on my agents (linux) and server (linux) >>> >>> I have local rules file that look like this: >>> >>> >>> <group name="local,syslog,"> >>> >>> <rule id="100001" level="0"> >>> <if_sid>553</if_sid> >>> <srcip>192.168.1.1</srcip> >>> <description>Ignore deleted log messages from server1</description> >>> </rule> >>> >>> <rule id="100002" level="0"> >>> <if_sid>1003</if_sid> >>> <srcip>192.168.1.2</srcip> >>> <description>Ignore size too large messages from server2</description> >>> </rule> >>> >>> <rule id="100003" level="0"> >>> <if_sid>5104</if_sid> >>> <srcip>192.168.1.3</srcip> >>> <description>Ignore promiscuous mode messages from server3</description> >>> </rule> >>> >>> >>> But I'm still getting these alerts. >>> >>> How can I troubleshoot this? >>> >>> I've restarted OSSEC multiple times. >>> >> >
