hey boys,
I did following and restart ossec but still getting alert :( do i
need to specify 1002 rules ID somewhere here?
<rule id="100002" level="0">
<options>no_email_alert</options>
<match>snmpd</match>
<description>IGNORED RULE</description>
</rule>
On Tue, Mar 15, 2011 at 12:27 PM, dan (ddp) <[email protected]> wrote:
> If you don't want it to email or log, you should just lower the level to 0.
> Adding the no email option doesn't really ignore the log message, it
> just doesn't send out an email. Lowering the level to 0 ignores it.
>
> Since you're aware of the issue, the alert looks pretty worthless.
>
> On Tue, Mar 15, 2011 at 11:33 AM, satish patel <[email protected]> wrote:
>> One question i used "no_log" that means it will stop alert and log both ?
>>
>>
>> On Tue, Mar 15, 2011 at 11:23 AM, satish patel <[email protected]> wrote:
>>> Perfect!!! Thanks a lot..
>>>
>>>
>>>
>>> On Tue, Mar 15, 2011 at 10:46 AM, Gurtaj Singh
>>> <[email protected]> wrote:
>>>> add the following rule to your local_rules.xml
>>>>
>>>> <rule id="700678" level="7">
>>>> <options>no_email_alert</options>
>>>> <match>error on subcontainer 'ia_addr' insert (-1)</match>
>>>> <description>IGNORED RULE</description>
>>>> </rule>
>>>>
>>>> The above rule takes that alert as a level 7(which by default wont be
>>>> ignored but note the options command-due to which it wont be alerted on)
>>>> If ever you want to see if you properly fixed the issue,remove the options
>>>> command and keep the rest. That way it wont be ignored.
>>>>
>>>> Another alternative is call it a level 1 or 2 and completely ignore it(no
>>>> logs) or use the no_log command under options.
>>>>
>>>>
>>>> On Tue, 2011-03-15 at 10:29 -0400, satish patel wrote:
>>>>
>>>> I am getting following alert constantly how to ignore it until i fix the
>>>> issue ?
>>>>
>>>>
>>>> OSSEC HIDS Notification.
>>>> 2011 Mar 15 07:18:52
>>>>
>>>> Received From: (sebfwint1) 172.24.0.63->/var/log/syslog
>>>> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
>>>> Portion of the log(s):
>>>>
>>>> Mar 15 07:15:31 sebfwint1 snmpd[1401]: error on subcontainer 'ia_addr'
>>>> insert (-1)
>>>>
>>>>
>>>>
>>>
>>
>
