Solved:
created rules to ignore keywords in /var/ossec/rules/local_rules.xml
<rule id="100002" level="0">
<if_sid>5400</if_sid>
<match>agent_control</match>
<description>Events ignored for splunk</description>
</rule>
On Wed, Mar 2, 2011 at 1:01 PM, satish patel <[email protected]> wrote:
> I have ossec + splunk configured and i am getting following message
> again and again. How to get ride on this. How to change rules to
> ignore only following message ?
>
> ** Alert 1299088508.45319: - syslog,sudo
> 2011 Mar 02 09:55:08 vmg035->/var/log/auth.log
> Rule: 5402 (level 3) -> 'Successful sudo to ROOT executed'
> Src IP: (none)
> User: root
> Mar 2 09:55:07 vmg035 sudo: root : TTY=pts/1 ;
> PWD=/opt/splunk/etc/apps/ossec/bin ; USER=root ;
> COMMAND=/var/ossec/bin/agent_control -l
>
>
> -Satish
>
