On Wed, Sep 29, 2010 at 2:13 PM, Chris Decker <[email protected]> wrote: > Dan, > > Thanks. The "local_ip" setting appears to be what I need. I'll investigate > further to see if inodes are the culprit for the syscheck issue. > > Regarding item #3: One alert contains an IP address (the successful SSH > session), but the other two alerts are from PAM and do NOT contain an IP > address, making it difficult to create an exclusion rule with a level of 0. > I didn't now if there was a way to say "if rule x hit within the last few > seconds, and this event has criteria x and y, then use a level of 0". > Hopefully that makes sense. > > Again, appreciate all of your help. >
I'm not aware of a way to say something like: If rule X fires with value a, and rule Y fires within b seconds, ignore rule Y The PAM alerts should have some information associated with them, a username or something. If that username is unique to the nagios application (and it should be, unless you have to use root), that could be the distinguishing factor for filtering on that alert. Posting sample logs (obduscate real IPs and usernames), might help in filtering this out. I'll try looking to see if I have any sshd/PAM logs lying around that might be the same/similar.
