Okay just tried that, but did not help (and hostname would've been
cumbersome to use to specify a whole subnet).
Other suggestions? I really need a solution to this.
On 3/3/2011 5:10 PM, Jeremy Lee wrote:
try using the <hostname> attribute instead of match and srcip.
On Thu, Mar 3, 2011 at 4:19 PM, Lars <[email protected]
<mailto:[email protected]>> wrote:
I just installed ossec for the first time, and I I'm getting
certain e-
mail alerts that I cannot seem to figure out how to stop.
------ Here is one of the alerts:
OSSEC HIDS Notification.
2011 Mar 03 13:46:25
Received From: (pos-vm) 10.1.1.152->ossec
Rule: 503 fired (level 3) -> "Ossec agent started."
Portion of the log(s):
ossec: Agent started: 'pos-vm->10.1.1.152'.
--END OF NOTIFICATION
------ Here is the rule I added to local_rules.xml:
<rule id="100201" level="2">
<if_sid>503</if_sid>
<match>10.1.1.152</match>
<srcip>10.1.1.152</srcip>
<options>no_email_alert</options>
<description>No e-mail alerts when work stations start up.</
description>
</rule>
I have restarted ossec on the server and there are no error messages
or warnings, but when I reboot 10.1.1.152, I still get the alert e-
mail. I originally tried with srcip, but since that field isn't
decoded by this rule, I also added match, but that didn't work either
(and what I really need is probably regex, since I need to exclude a
large number of workstations).
Some background: I have about 100 Linux workstations that are only
used day-time, so they are shut down every evening and turned back on
again every morning. These are perfectly normal events, and I do not
want to get flooded with e-mails every time it happens.
------ Here is an entry from the alert log:
│** Alert 1299196351.188961: mail - ossec,
│2011 Mar 03 15:52:31 (pos-vm) 10.1.1.152->ossec
│Rule: 503 (level 3) -> 'Ossec agent started.'
│Src IP: (none)
│User: (none)
│ossec: Agent started: 'pos-vm->10.1.1.152'.
What do I need to do to solve this?
Thanks,
Lars
