If you don't want it to email or log, you should just lower the level to 0. Adding the no email option doesn't really ignore the log message, it just doesn't send out an email. Lowering the level to 0 ignores it.
Since you're aware of the issue, the alert looks pretty worthless. On Tue, Mar 15, 2011 at 11:33 AM, satish patel <[email protected]> wrote: > One question i used "no_log" that means it will stop alert and log both ? > > > On Tue, Mar 15, 2011 at 11:23 AM, satish patel <[email protected]> wrote: >> Perfect!!! Thanks a lot.. >> >> >> >> On Tue, Mar 15, 2011 at 10:46 AM, Gurtaj Singh >> <[email protected]> wrote: >>> add the following rule to your local_rules.xml >>> >>> <rule id="700678" level="7"> >>> <options>no_email_alert</options> >>> <match>error on subcontainer 'ia_addr' insert (-1)</match> >>> <description>IGNORED RULE</description> >>> </rule> >>> >>> The above rule takes that alert as a level 7(which by default wont be >>> ignored but note the options command-due to which it wont be alerted on) >>> If ever you want to see if you properly fixed the issue,remove the options >>> command and keep the rest. That way it wont be ignored. >>> >>> Another alternative is call it a level 1 or 2 and completely ignore it(no >>> logs) or use the no_log command under options. >>> >>> >>> On Tue, 2011-03-15 at 10:29 -0400, satish patel wrote: >>> >>> I am getting following alert constantly how to ignore it until i fix the >>> issue ? >>> >>> >>> OSSEC HIDS Notification. >>> 2011 Mar 15 07:18:52 >>> >>> Received From: (sebfwint1) 172.24.0.63->/var/log/syslog >>> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." >>> Portion of the log(s): >>> >>> Mar 15 07:15:31 sebfwint1 snmpd[1401]: error on subcontainer 'ia_addr' >>> insert (-1) >>> >>> >>> >> >
