Hi Satish,
You're doing it wrong.
Look at the output of the log message in ossec-logtest:
# cd /var/ossec/bin
# ./ossec-logtest
2011/03/15 13:10:31 ossec-testrule: INFO: Reading local decoder file.
2011/03/15 13:10:31 ossec-testrule: INFO: Reading loading the lists
file: 'lists/blocked.txt.cdb'
2011/03/15 13:10:31 ossec-testrule: INFO: Started (pid: 1010).
ossec-testrule: Type one log per line.
Mar 15 07:15:31 sebfwint1 snmpd[1401]: error on subcontainer 'ia_addr'
insert (-1)
**Phase 1: Completed pre-decoding.
full event: 'Mar 15 07:15:31 sebfwint1 snmpd[1401]: error on
subcontainer 'ia_addr' insert (-1)'
hostname: 'sebfwint1'
program_name: 'snmpd'
log: 'error on subcontainer 'ia_addr' insert (-1)'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
The <match> option uses the section labeled "log:" to match against.
snmpd is not in that section, it is the program_name.
If you're trying to ignore all messages coming from snmpd (a silly
thing to do), you'd need to use <program_name>snmpd</program_name>. If
you want to ignore this message specifically, use the program_name and
a <match> statement (based on the log: output above).
HTH,
dan
On Tue, Mar 15, 2011 at 12:53 PM, satish patel <[email protected]> wrote:
> hey boys,
>
> I did following and restart ossec but still getting alert :( do i
> need to specify 1002 rules ID somewhere here?
>
> <rule id="100002" level="0">
> <options>no_email_alert</options>
> <match>snmpd</match>
> <description>IGNORED RULE</description>
> </rule>
>
>
>
>
> On Tue, Mar 15, 2011 at 12:27 PM, dan (ddp) <[email protected]> wrote:
>> If you don't want it to email or log, you should just lower the level to 0.
>> Adding the no email option doesn't really ignore the log message, it
>> just doesn't send out an email. Lowering the level to 0 ignores it.
>>
>> Since you're aware of the issue, the alert looks pretty worthless.
>>
>> On Tue, Mar 15, 2011 at 11:33 AM, satish patel <[email protected]> wrote:
>>> One question i used "no_log" that means it will stop alert and log both ?
>>>
>>>
>>> On Tue, Mar 15, 2011 at 11:23 AM, satish patel <[email protected]> wrote:
>>>> Perfect!!! Thanks a lot..
>>>>
>>>>
>>>>
>>>> On Tue, Mar 15, 2011 at 10:46 AM, Gurtaj Singh
>>>> <[email protected]> wrote:
>>>>> add the following rule to your local_rules.xml
>>>>>
>>>>> <rule id="700678" level="7">
>>>>> <options>no_email_alert</options>
>>>>> <match>error on subcontainer 'ia_addr' insert (-1)</match>
>>>>> <description>IGNORED RULE</description>
>>>>> </rule>
>>>>>
>>>>> The above rule takes that alert as a level 7(which by default wont be
>>>>> ignored but note the options command-due to which it wont be alerted on)
>>>>> If ever you want to see if you properly fixed the issue,remove the options
>>>>> command and keep the rest. That way it wont be ignored.
>>>>>
>>>>> Another alternative is call it a level 1 or 2 and completely ignore it(no
>>>>> logs) or use the no_log command under options.
>>>>>
>>>>>
>>>>> On Tue, 2011-03-15 at 10:29 -0400, satish patel wrote:
>>>>>
>>>>> I am getting following alert constantly how to ignore it until i fix the
>>>>> issue ?
>>>>>
>>>>>
>>>>> OSSEC HIDS Notification.
>>>>> 2011 Mar 15 07:18:52
>>>>>
>>>>> Received From: (sebfwint1) 172.24.0.63->/var/log/syslog
>>>>> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
>>>>> Portion of the log(s):
>>>>>
>>>>> Mar 15 07:15:31 sebfwint1 snmpd[1401]: error on subcontainer 'ia_addr'
>>>>> insert (-1)
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>
