The message you provided in your original email used id 5402. So that's what I used. If you want to ignore rule id 5400, use 5400. If you want to ignore rule id 5402 then use 5402.
On Wed, Mar 2, 2011 at 3:33 PM, satish patel <[email protected]> wrote: > Hey what <id_sid> should i use in rules ? > > 5402 or 5400 > > because before i used 5402 which didn't work than after i changed it > to 5400 and it resolved. still confused > > > > On Wed, Mar 2, 2011 at 3:18 PM, dan (ddp) <[email protected]> wrote: >> Adjust the following and add it to /var/ossec/rules/local_rules.xml: >> >> <rule id="SOME_ID" level="0"> >> <if_sid>5402</if_sid> >> <user>root</user> >> <match>/opt/splunk/etc/apps/ossec/bin</match> >> <description>Ignore splunk.</description> >> </rule> >> >> On Wed, Mar 2, 2011 at 1:01 PM, satish patel <[email protected]> wrote: >>> I have ossec + splunk configured and i am getting following message >>> again and again. How to get ride on this. How to change rules to >>> ignore only following message ? >>> >>> ** Alert 1299088508.45319: - syslog,sudo >>> 2011 Mar 02 09:55:08 vmg035->/var/log/auth.log >>> Rule: 5402 (level 3) -> 'Successful sudo to ROOT executed' >>> Src IP: (none) >>> User: root >>> Mar 2 09:55:07 vmg035 sudo: root : TTY=pts/1 ; >>> PWD=/opt/splunk/etc/apps/ossec/bin ; USER=root ; >>> COMMAND=/var/ossec/bin/agent_control -l >>> >>> >>> -Satish >>> >> >
