The message you provided in your original email used id 5402. So
that's what I used.
If you want to ignore rule id 5400, use 5400. If you want to ignore
rule id 5402 then use 5402.

On Wed, Mar 2, 2011 at 3:33 PM, satish patel <[email protected]> wrote:
> Hey what <id_sid> should i use in rules ?
>
> 5402 or 5400
>
> because before i used 5402 which didn't work than after i changed it
> to 5400 and it resolved. still confused
>
>
>
> On Wed, Mar 2, 2011 at 3:18 PM, dan (ddp) <[email protected]> wrote:
>> Adjust the following and add it to /var/ossec/rules/local_rules.xml:
>>
>> <rule id="SOME_ID" level="0">
>>  <if_sid>5402</if_sid>
>>  <user>root</user>
>>  <match>/opt/splunk/etc/apps/ossec/bin</match>
>>  <description>Ignore splunk.</description>
>> </rule>
>>
>> On Wed, Mar 2, 2011 at 1:01 PM, satish patel <[email protected]> wrote:
>>> I have ossec + splunk configured and i am getting following message
>>> again and again. How to get ride on this. How to change rules to
>>> ignore only following message ?
>>>
>>> ** Alert 1299088508.45319: - syslog,sudo
>>> 2011 Mar 02 09:55:08 vmg035->/var/log/auth.log
>>> Rule: 5402 (level 3) -> 'Successful sudo to ROOT executed'
>>> Src IP: (none)
>>> User: root
>>> Mar  2 09:55:07 vmg035 sudo:     root : TTY=pts/1 ;
>>> PWD=/opt/splunk/etc/apps/ossec/bin ; USER=root ;
>>> COMMAND=/var/ossec/bin/agent_control -l
>>>
>>>
>>> -Satish
>>>
>>
>

Reply via email to