The log message in 5113 does not appear to contain an IP address: "Mar 4 12:47:55 l785 kernel: Kernel log daemon terminating."
A regex for an IP would not match that log message. On Fri, Mar 4, 2011 at 4:57 PM, Lars Oberg <[email protected]> wrote: > I have a rule for which I cannot seem to disable the email alerts. Since > SrcIp is not decoded for this rule, I am using a regex. Below is my > local_rules.xml file (only 2 rules). The rule that doesn't fire is 100200, > but the strange thing is that the rule below it (100201) is firing just > fine, use the exact same regex to match on the IP address of the workstation > I'm testing on. > > This is very confusing to me, but I am new to ossec, so I am hopefully just > overlooking something simple. > > Below is also the e-mail notification I am trying to suppress as well as the > contents of the alert log. > > What am I missing? > > > ----- local_rules.xml ----- > <group name="local,syslog,"> > > <rule id="100200" level="2"> > <if_sid>5113</if_sid> > <regex>(10\.\d*\.3\.\d*)|(10.1.1.152)</regex> > <options>no_email_alert</options> > <description>No e-mail alerts for work stations shutting down.</description> > </rule> > > <rule id="100201" level="2"> > <if_sid>503</if_sid> > <regex>(10\.\d*\.3\.\d*)|(10.1.1.152)</regex> > <options>no_email_alert</options> > <description>No email alerts when work stations start up.</description> > </rule> > > </group> <!-- SYSLOG,LOCAL --> > > > ----- Email ----- > OSSEC HIDS Notification. > 2011 Mar 04 12:47:56 > > Received From: (785) 10.1.3.4->/var/log/messages > Rule: 5113 fired (level 7) -> "System is shutting down." > Portion of the log(s): > > Mar 4 12:47:55 l785 kernel: Kernel log daemon terminating. > > --END OF NOTIFICATION > > > > ----- Alert log (notice that 5113 fires, instead of 100200) ----- > ** Alert 1299272104.152207: mail - syslog,linuxkernel,system_shutdown, > 2011 Mar 04 12:55:04 (785) 10.1.3.4->/var/log/messages > Rule: 5113 (level 7) -> 'System is shutting down.' > Src IP: (none) > User: (none) > Mar 4 12:55:03 l785 kernel: Kernel log daemon terminating. > > > ** Alert 1299272227.153206: - local,syslog, > 2011 Mar 04 12:57:07 (785) 10.1.3.4->ossec > Rule: 100201 (level 2) -> 'No email alerts when POS stations start up.' > Src IP: (none) > User: (none) > ossec: Agent started: '785->10.1.3.4'. > > > >
