try using the <hostname> attribute instead of match and srcip. On Thu, Mar 3, 2011 at 4:19 PM, Lars <[email protected]> wrote:
> I just installed ossec for the first time, and I I'm getting certain e- > mail alerts that I cannot seem to figure out how to stop. > > ------ Here is one of the alerts: > OSSEC HIDS Notification. > 2011 Mar 03 13:46:25 > > Received From: (pos-vm) 10.1.1.152->ossec > Rule: 503 fired (level 3) -> "Ossec agent started." > Portion of the log(s): > > ossec: Agent started: 'pos-vm->10.1.1.152'. > > > > --END OF NOTIFICATION > > ------ Here is the rule I added to local_rules.xml: > <rule id="100201" level="2"> > <if_sid>503</if_sid> > <match>10.1.1.152</match> > <srcip>10.1.1.152</srcip> > <options>no_email_alert</options> > <description>No e-mail alerts when work stations start up.</ > description> > </rule> > > I have restarted ossec on the server and there are no error messages > or warnings, but when I reboot 10.1.1.152, I still get the alert e- > mail. I originally tried with srcip, but since that field isn't > decoded by this rule, I also added match, but that didn't work either > (and what I really need is probably regex, since I need to exclude a > large number of workstations). > > Some background: I have about 100 Linux workstations that are only > used day-time, so they are shut down every evening and turned back on > again every morning. These are perfectly normal events, and I do not > want to get flooded with e-mails every time it happens. > > ------ Here is an entry from the alert log: > │** Alert 1299196351.188961: mail - ossec, > │2011 Mar 03 15:52:31 (pos-vm) 10.1.1.152->ossec > │Rule: 503 (level 3) -> 'Ossec agent started.' > │Src IP: (none) > │User: (none) > │ossec: Agent started: 'pos-vm->10.1.1.152'. > > What do I need to do to solve this? > > Thanks, > Lars
