oh and i got the ossec wui working dan..a minor error in the server name
xDD
but i am disappointed its useless...gahhh
will use splunk now..
hope my above reply helped u satish
GS
On Tue, 2011-03-15 at 13:13 -0400, dan (ddp) wrote:
> Hi Satish,
> You're doing it wrong.
>
> Look at the output of the log message in ossec-logtest:
> # cd /var/ossec/bin
> # ./ossec-logtest
> 2011/03/15 13:10:31 ossec-testrule: INFO: Reading local decoder file.
> 2011/03/15 13:10:31 ossec-testrule: INFO: Reading loading the lists
> file: 'lists/blocked.txt.cdb'
> 2011/03/15 13:10:31 ossec-testrule: INFO: Started (pid: 1010).
> ossec-testrule: Type one log per line.
>
> Mar 15 07:15:31 sebfwint1 snmpd[1401]: error on subcontainer 'ia_addr'
> insert (-1)
>
>
> **Phase 1: Completed pre-decoding.
> full event: 'Mar 15 07:15:31 sebfwint1 snmpd[1401]: error on
> subcontainer 'ia_addr' insert (-1)'
> hostname: 'sebfwint1'
> program_name: 'snmpd'
> log: 'error on subcontainer 'ia_addr' insert (-1)'
>
> **Phase 2: Completed decoding.
> No decoder matched.
>
> **Phase 3: Completed filtering (rules).
> Rule id: '1002'
> Level: '2'
> Description: 'Unknown problem somewhere in the system.'
> **Alert to be generated.
>
> The <match> option uses the section labeled "log:" to match against.
> snmpd is not in that section, it is the program_name.
>
> If you're trying to ignore all messages coming from snmpd (a silly
> thing to do), you'd need to use <program_name>snmpd</program_name>. If
> you want to ignore this message specifically, use the program_name and
> a <match> statement (based on the log: output above).
> HTH,
> dan
>
> On Tue, Mar 15, 2011 at 12:53 PM, satish patel <[email protected]> wrote:
> > hey boys,
> >
> > I did following and restart ossec but still getting alert :( do i
> > need to specify 1002 rules ID somewhere here?
> >
> > <rule id="100002" level="0">
> > <options>no_email_alert</options>
> > <match>snmpd</match>
> > <description>IGNORED RULE</description>
> > </rule>
> >
> >
> >
> >
> > On Tue, Mar 15, 2011 at 12:27 PM, dan (ddp) <[email protected]> wrote:
> >> If you don't want it to email or log, you should just lower the level to 0.
> >> Adding the no email option doesn't really ignore the log message, it
> >> just doesn't send out an email. Lowering the level to 0 ignores it.
> >>
> >> Since you're aware of the issue, the alert looks pretty worthless.
> >>
> >> On Tue, Mar 15, 2011 at 11:33 AM, satish patel <[email protected]> wrote:
> >>> One question i used "no_log" that means it will stop alert and log both ?
> >>>
> >>>
> >>> On Tue, Mar 15, 2011 at 11:23 AM, satish patel <[email protected]>
> >>> wrote:
> >>>> Perfect!!! Thanks a lot..
> >>>>
> >>>>
> >>>>
> >>>> On Tue, Mar 15, 2011 at 10:46 AM, Gurtaj Singh
> >>>> <[email protected]> wrote:
> >>>>> add the following rule to your local_rules.xml
> >>>>>
> >>>>> <rule id="700678" level="7">
> >>>>> <options>no_email_alert</options>
> >>>>> <match>error on subcontainer 'ia_addr' insert (-1)</match>
> >>>>> <description>IGNORED RULE</description>
> >>>>> </rule>
> >>>>>
> >>>>> The above rule takes that alert as a level 7(which by default wont be
> >>>>> ignored but note the options command-due to which it wont be alerted on)
> >>>>> If ever you want to see if you properly fixed the issue,remove the
> >>>>> options
> >>>>> command and keep the rest. That way it wont be ignored.
> >>>>>
> >>>>> Another alternative is call it a level 1 or 2 and completely ignore
> >>>>> it(no
> >>>>> logs) or use the no_log command under options.
> >>>>>
> >>>>>
> >>>>> On Tue, 2011-03-15 at 10:29 -0400, satish patel wrote:
> >>>>>
> >>>>> I am getting following alert constantly how to ignore it until i fix the
> >>>>> issue ?
> >>>>>
> >>>>>
> >>>>> OSSEC HIDS Notification.
> >>>>> 2011 Mar 15 07:18:52
> >>>>>
> >>>>> Received From: (sebfwint1) 172.24.0.63->/var/log/syslog
> >>>>> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
> >>>>> Portion of the log(s):
> >>>>>
> >>>>> Mar 15 07:15:31 sebfwint1 snmpd[1401]: error on subcontainer 'ia_addr'
> >>>>> insert (-1)
> >>>>>
> >>>>>
> >>>>>
> >>>>
> >>>
> >>
> >
>
