I have a script that backs up my MySQL databases by flushing the
database, freezing the filesystem and then creating an LVM snapshot of
the volume the database is located on. This is then mounted and
archived with tar and gzip and then the snapshot is unmounted and
destroyed. When the snapshot is mounted a uevent is sent from the
kernel to udevd which spawns a udevd-work worker thread to handle the
snapshot. This process occurs so quickly though that by the time the
thread is spawned the snapshot has been unmounted and destroyed. When
this happens a log entry like this is generated in syslog:
Mar 4 01:30:26 mysql-slave-1 udevd-work[7263]: inotify_add_watch(6, /
dev/mapper/vg00-mysql_snapshot, 10) failed: No such file or directory
Using the examples in chapter 4 of the OSSEC Host-Based Intrusion
Detection Guide book, the online documentation and posts in this group
I've created the following local rule in the "local,syslog" group in
my local_rules.xml file to suppress output from this error message:
<!-- Ignore messages from inotify_add_watch complaining about
missing LVM snapsots -->
<rule id="101002" level="0">
<if_sid>1002</if_sid>
<program_name>udevd-work</program_name>
<match>inotify_add_watch(6, /dev/mapper/vg00-mysql_snapshot, 10)
failed</match>
<options>no_email_alert</options>
<description>Suppress spurious bad word alert relating to
unmounted LVM snapshots</description>
</rule>
When I run ossec-logtest and feed it one of the udevd-work error
messages it returns the following:
**Phase 1: Completed pre-decoding.
full event: 'Mar 4 01:30:26 mysql-slave-1 udevd-work[7263]:
inotify_add_watch(6, /dev/mapper/vg00-mysql_snapshot, 10) failed: No
such file or directory'
hostname: 'mysql-slave-1'
program_name: 'udevd-work'
log: 'inotify_add_watch(6, /dev/mapper/vg00-mysql_snapshot, 10)
failed: No such file or directory'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '101002'
Level: '0'
Description: 'Suppress spurious bad word alert relating to
unmounted LVM snapshots'
I then stop and start OSSEC to load the new rule and end up getting an
e-mail telling me the following:
OSSEC HIDS Notification.
2011 Mar 04 01:30:27
Received From: db-sec-slave->/var/log/syslog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the
system."
Portion of the log(s):
Mar 4 01:30:26 mysql-slave-1 udevd-work[7263]: inotify_add_watch(6, /
dev/mapper/vg00-mysql_snapshot, 10) failed: No such file or directory
--END OF NOTIFICATION
Obviously I'm doing something wrong here, but I can't figure out what.
I'm basing my rule on the suppressing ntop output example from chapter
4 of the OSSEC book and the examples that Daniel has posted in this
group. My log level is set to log_alert_level is set to 1 and my
email_alert_level is set to 7.
I've tried various things such as defining a decoder for udevd events
in decoder.xml but none of them work. I'm running OSSEC 2.5.1 on
Ubuntu. I also had this problem with 2.4.1. Any info on how I can make
this work will be greatly appreciated.
Thanks,
Jamie
