It looks like this has been answered, but for the future try using ossec-logtest to help create the rules.
On Mon, May 16, 2011 at 5:01 PM, Randy Dover <rdo...@cscbank.com> wrote: > I am in need of some quick help. Notification emails are very excessive. > > I really like the OSSEC product, I think it's very useful. However, I need > to get a couple of rules tweaked to keep from getting certain emails or my > staff will ignore all emails. > > I have purchased and looked in the book on rules, but I'm still having > trouble with putting in effective rules definitions. I am not familiar with > Linux, and I know the problem is me. > > I am posting some examples of the emails I'm getting and will include my > rules section. I would really REALLY appreciate it if someone would type in > EXACTLY what I need to put in the local_rules.xml file and not just make a > "suggestion". I'm trying to implement this, but I am not good with Linux. > > Thanks in advance, > Randy Dover > > Here is a sample of some of what I'd like to keep from seeing. > > Example 1: > WinEvtLog: Application: ERROR(52): SXS: (no user): no domain: CSCB-LES: > Internal error in the TCP Server (null reply). Please contact Support. > > WinEvtLog: Application: ERROR(77): SXS: (no user): no domain: CSCB-LES: > Endpoint log was not committed to the database after a series of > unsuccessful retries. Please review adjacent event log entries. > > Example 2: > WinEvtLog: Application: ERROR(455): ESENT: (no user): no domain: TRAINING2: > wuaueng.dll (740) SUS20ClientDataStore: Error -1032 (0xfffffbf8) occurred > while opening logfile > C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log. > > WinEvtLog: Application: ERROR(489): ESENT: (no user): no domain: TRAINING2: > wuauclt (740) An attempt to open the file > "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log" for read only > access failed with system error 32 (0x00000020): "The process cannot access > the file because it is being used by another process. ". The open file > operation will fail with error -1032 (0xfffffbf8) > > Example 3: > Rule: 7204 fired (level 9) -> "Changed network interface for ip address." > Portion of the log(s): > > Example 4: (The big culprit. We are getting close to 100 a day of this > alert, the machine name in the WinEvtLog is different, but the Error is the > same - ERROR(52): SXS: etc) > > Received From: (CSCB-FTPINSIDE) 172.16.49.19->WinEvtLog > Rule: 18154 fired (level 10) -> "Multiple Windows error events." > Portion of the log(s): > WinEvtLog: System: ERROR(4321): NetBT: (no user): no domain: CSCB-FTPINSIDE: > The name "CBDOM01 :1d" could not be registered on the Interface with > IP address 172.16.49.19. The machine with the IP address 172.16.49.15 did > not allow the name to be claimed by this machine. > > WinEvtLog: Application: ERROR(52): SXS: (no user): no domain: CSCB-LES: > Internal error in the TCP Server (null reply). Please contact Support. > > WinEvtLog: Application: ERROR(52): SXS: (no user): no domain: CSCB-LES: > Internal error in the TCP Server (null reply). Please contact Support. > > Here's my rules section: > <rule id="100001" level="0"> > <if_sid>18106</if_sid> > <id>529</id> > <description>Ignore ID 529 alerts</description> > </rule> > <rule id="100002" level="0"> > <if_sid>18154</if_sid> > <id>52</id> > <description>Ignore ID 52 alerts</description> > </rule> > > I believe rule ID 100001 is working, but 100002 is not.
