Ok, great. Yes, it is the "Kernel log daemon terminating" message:
_This is the alert in the alert.log:_
** Alert 1299259678.72480: mail - syslog,linuxkernel,system_shutdown,
2011 Mar 04 09:27:58 (pos-vm) 10.1.1.152->/var/log/messages
Rule: 5113 (level 7) -> 'System is shutting down.'
Src IP: (none)
User: (none)
Mar 4 09:27:57 l807 kernel: Kernel log daemon terminating.
_Here is the email:_
OSSEC HIDS Notification.
2011 Mar 04 09:27:58
Received From: (pos-vm) 10.1.1.152->/var/log/messages
Rule: 5113 fired (level 7) -> "System is shutting down."
Portion of the log(s):
Mar 4 09:27:57 l807 kernel: Kernel log daemon terminating.
--END OF NOTIFICATION
Thanks,
Lars
On 3/7/2011 10:24 AM, gutsy gibbon wrote:
I am pretty sure i can help u with this if u tell me what is the alert
u got...ALL i need is the one line alert...sorry i cant get it from ur
post
i think the line is "Mar 4 12:47:55 l785 kernel: Kernel log daemon
terminating. "
plz confirm
If the above is the alert--2 things
1. Since u are using if_sid to check for the rule 5113 being fired I
am sure u dont need a regex
2. All u need to do is route all 5113 alerts to 100200(or w/e )
So i suggest trying it with a if_sid , Description, and ur preferred
rule level only
Dont use regular expressions
Let me know if i helped
On Mar 4, 7:46 pm, Lars Oberg<[email protected]> wrote:
The host names are fixed, and I cannot change them. Yes, maybe someone
else will chime in with a solution...
On 3/4/2011 4:39 PM, Jeremy Lee wrote:
There might be another way... I'm sure someone will chime in if they
have an idea. I just can't think of anything else off the top of my
head. If anything, there would have to be a way to grab it via the
decoder. Actually, you might be able to use<regex> if you type in the
actual hostname<regex>785</regex> - this wouldn't be much different
than<hostname> however. Unless you add a common prefix to all your
servers like "POS785" etc. Then maybe you could use a regex rule to
filter based on<regex>POS*</regex> or something like that. My regex
is off but you get the idea.
On Fri, Mar 4, 2011 at 4:20 PM, Lars Oberg<[email protected]
<mailto:[email protected]>> wrote:
That's too bad. Maintaining that rule with about 100 hosts names
will be too much work to be feasible, so I don't think I have a
choice but to ignore the rule altogether.
At least I don't have to keep banging my head on this problem
anymore.
Thanks for your help.
Lars
On 3/4/2011 3:44 PM, Jeremy Lee wrote:
If you need to enter multiple hostnames, the delimiter is "|"
Let us know what you find.
On Fri, Mar 4, 2011 at 3:39 PM, Jeremy Lee<[email protected]
<mailto:[email protected]>> wrote:
Not sure what you would modify in decoder.xml to get the
5100/5113 rules to pickup source IP... Because it seems like
the 5100 base rule is not relying on a decoder but rather
program_name - in this case "^kernel"
In this scenario, I *think* you may need to utilize
<hostname> (what I had suggested in your other thread). The
drawback is that you'll have to add a long list of
hostnames... because I'm assuming this is for all those Linux
boxes you're monitoring, right?
I'm not sure if you can use regex in the<hostname> attribute
but it's not difficult to test. Especially with ossec-logtest.
On Fri, Mar 4, 2011 at 3:24 PM, Lars Oberg
<[email protected]<mailto:[email protected]>> wrote:
Hi Dan,
Thanks for clarifying that. If I understand you
correctly: even though the alert log shows the IP
address, I cannot match on it using RegEx since it is not
part of the actual message body from syslog.
Is there another way to suppress these e-mails, or do I
have to mess with the decoder, so that it decodes the
source IP?
Lars
On 3/4/2011 2:59 PM, dan (ddp) wrote:
Hi Lars,
On Fri, Mar 4, 2011 at 5:54 PM, Lars
Oberg<[email protected]
<mailto:[email protected]>> wrote:
Actually, it does - I tested the RegEx against
the email alert, and it
matches. But I tested with PCRE regex. Is there
a different flavor regex I
need to use?
The OSSEC regex.
http://www.ossec.net/doc/syntax/regex.html
Also, if the regex is not correct, how come the
other rule (100201) fires?
100201 Deals with the log message: "ossec: Agent
started: '785->10.1.3.4'."
That log message contains an IP address.
100200 deals with the log message: "Mar 4 12:47:55
l785 kernel:
Kernel log daemon terminating."
That log message does not contain an IP address.
On 3/4/2011 2:05 PM, dan (ddp) wrote:
The log message in 5113 does not appear to
contain an IP address:
"Mar 4 12:47:55 l785 kernel: Kernel log
daemon terminating."
A regex for an IP would not match that log
message.
On Fri, Mar 4, 2011 at 4:57 PM, Lars
Oberg<[email protected]
<mailto:[email protected]>> wrote:
I have a rule for which I cannot seem to
disable the email alerts. Since
SrcIp is not decoded for this rule, I am
using a regex. Below is my
local_rules.xml file (only 2 rules). The
rule that doesn't fire is
100200,
but the strange thing is that the rule
below it (100201) is firing just
fine, use the exact same regex to match
on the IP address of the
workstation
I'm testing on.
This is very confusing to me, but I am
new to ossec, so I am hopefully
just
overlooking something simple.
Below is also the e-mail notification I
am trying to suppress as well as
the
contents of the alert log.
What am I missing?
----- local_rules.xml -----
<group name="local,syslog,">
<rule id="100200" level="2">
<if_sid>5113</if_sid>
<regex>(10\.\d*\.3\.\d*)|(10.1.1.152)</regex>
<options>no_email_alert</options>
<description>No e-mail alerts for work
stations shutting
down.</description>
</rule>
<rule id="100201" level="2">
<if_sid>503</if_sid>
<regex>(10\.\d*\.3\.\d*)|(10.1.1.152)</regex>
<options>no_email_alert</options>
<description>No email alerts when work
stations start up.</description>
</rule>
</group> <!-- SYSLOG,LOCAL -->
----- Email -----
OSSEC HIDS Notification.
2011 Mar 04 12:47:56
Received From: (785)
10.1.3.4->/var/log/messages
Rule: 5113 fired (level 7) -> "System
is shutting down."
Portion of the log(s):
Mar 4 12:47:55 l785 kernel: Kernel log
daemon terminating.
--END OF NOTIFICATION
----- Alert log (notice that 5113 fires,
instead of 100200) -----
** Alert 1299272104.152207: mail -
syslog,linuxkernel,system_shutdown,
2011 Mar 04 12:55:04 (785)
10.1.3.4->/var/log/messages
Rule: 5113 (level 7) -> 'System is
shutting down.'
Src IP: (none)
User: (none)
Mar 4 12:55:03 l785 kernel: Kernel log
daemon terminating.
** Alert 1299272227.153206: - local,syslog,
2011 Mar 04 12:57:07 (785) 10.1.3.4->ossec
Rule: 100201 (level 2) -> 'No email
alerts when POS stations start up.'
Src IP: (none)
User: (none)
ossec: Agent started: '785->10.1.3.4'.
