Adjust the following and add it to /var/ossec/rules/local_rules.xml: <rule id="SOME_ID" level="0"> <if_sid>5402</if_sid> <user>root</user> <match>/opt/splunk/etc/apps/ossec/bin</match> <description>Ignore splunk.</description> </rule>
On Wed, Mar 2, 2011 at 1:01 PM, satish patel <[email protected]> wrote: > I have ossec + splunk configured and i am getting following message > again and again. How to get ride on this. How to change rules to > ignore only following message ? > > ** Alert 1299088508.45319: - syslog,sudo > 2011 Mar 02 09:55:08 vmg035->/var/log/auth.log > Rule: 5402 (level 3) -> 'Successful sudo to ROOT executed' > Src IP: (none) > User: root > Mar 2 09:55:07 vmg035 sudo: root : TTY=pts/1 ; > PWD=/opt/splunk/etc/apps/ossec/bin ; USER=root ; > COMMAND=/var/ossec/bin/agent_control -l > > > -Satish >
