Oh, somehow I thought the OP was trying to suppress ALL sudo notifications. Re-reading, I can see that's obviously not the case. Sorry, my bad.
> -----Original Message----- > From: dan (ddp) [mailto:[email protected]] > Sent: Wednesday, March 02, 2011 3:05 PM > To: [email protected] > Subject: Re: [ossec-list] Splunk + Ossec Successful sudo to > ROOT executed > > I purposely put that there in an attempt to make sure it's > only ignoring the splunk OSSEC app. > I like to be as specific as possible in my rules. Hopefully > less false negatives that way... > > On Wed, Mar 2, 2011 at 3:57 PM, Nate Woodward > <[email protected]> wrote: > > Looks to me like your original rule (with id_sid=5402) is only > > matching when the user executes sudo from the > > /opt/splunk/etc/apps/ossec/bin directory. Maybe try > removing the <match> part? > > > >> -----Original Message----- > >> From: satish patel [mailto:[email protected]] > >> Sent: Wednesday, March 02, 2011 2:33 PM > >> To: [email protected] > >> Subject: Re: [ossec-list] Splunk + Ossec Successful sudo to ROOT > >> executed > >> > >> Hey what <id_sid> should i use in rules ? > >> > >> 5402 or 5400 > >> > >> because before i used 5402 which didn't work than after i > changed it > >> to 5400 and it resolved. still confused > >> > >> > >> > >> On Wed, Mar 2, 2011 at 3:18 PM, dan (ddp) <[email protected]> wrote: > >> > Adjust the following and add it to > /var/ossec/rules/local_rules.xml: > >> > > >> > <rule id="SOME_ID" level="0"> > >> > <if_sid>5402</if_sid> > >> > <user>root</user> > >> > <match>/opt/splunk/etc/apps/ossec/bin</match> > >> > <description>Ignore splunk.</description> </rule> > >> > > >> > On Wed, Mar 2, 2011 at 1:01 PM, satish patel > >> <[email protected]> wrote: > >> >> I have ossec + splunk configured and i am getting > >> following message > >> >> again and again. How to get ride on this. How to change > rules to > >> >> ignore only following message ? > >> >> > >> >> ** Alert 1299088508.45319: - syslog,sudo > >> >> 2011 Mar 02 09:55:08 vmg035->/var/log/auth.log > >> >> Rule: 5402 (level 3) -> 'Successful sudo to ROOT executed' > >> >> Src IP: (none) > >> >> User: root > >> >> Mar 2 09:55:07 vmg035 sudo: root : TTY=pts/1 ; > >> >> PWD=/opt/splunk/etc/apps/ossec/bin ; USER=root ; > >> >> COMMAND=/var/ossec/bin/agent_control -l > >> >> > >> >> > >> >> -Satish > >> >> > >> > > >> > >> > > > >
