I just installed ossec for the first time, and I I'm getting certain e- mail alerts that I cannot seem to figure out how to stop.
------ Here is one of the alerts: OSSEC HIDS Notification. 2011 Mar 03 13:46:25 Received From: (pos-vm) 10.1.1.152->ossec Rule: 503 fired (level 3) -> "Ossec agent started." Portion of the log(s): ossec: Agent started: 'pos-vm->10.1.1.152'. --END OF NOTIFICATION ------ Here is the rule I added to local_rules.xml: <rule id="100201" level="2"> <if_sid>503</if_sid> <match>10.1.1.152</match> <srcip>10.1.1.152</srcip> <options>no_email_alert</options> <description>No e-mail alerts when work stations start up.</ description> </rule> I have restarted ossec on the server and there are no error messages or warnings, but when I reboot 10.1.1.152, I still get the alert e- mail. I originally tried with srcip, but since that field isn't decoded by this rule, I also added match, but that didn't work either (and what I really need is probably regex, since I need to exclude a large number of workstations). Some background: I have about 100 Linux workstations that are only used day-time, so they are shut down every evening and turned back on again every morning. These are perfectly normal events, and I do not want to get flooded with e-mails every time it happens. ------ Here is an entry from the alert log: │** Alert 1299196351.188961: mail - ossec, │2011 Mar 03 15:52:31 (pos-vm) 10.1.1.152->ossec │Rule: 503 (level 3) -> 'Ossec agent started.' │Src IP: (none) │User: (none) │ossec: Agent started: 'pos-vm->10.1.1.152'. What do I need to do to solve this? Thanks, Lars
