Have you tried that without the match? I feel like there was recently a thread about this. Possibly on how to raise the limit.
On Thu, Sep 29, 2011 at 12:19 PM, spinman <[email protected]> wrote: > I am trying to figure out how to disable this email alert and I haven't had > much luck yet. > ---Email Alert--- > > OSSEC HIDS Notification. > > 2011 Sep 29 11:10:10 > > Received From: ossec->/var/log/messages > > Rule: 1003 fired (level 13) -> "Non standard syslog message (size too > large)." > > Portion of the log(s): > > Sep 29 11:10:10 ossec syslog-ng[3992]: Log statistics; > processed='destination(d_mail)=4', processed='destination(d_spol)=0', > processed='source(s_file_fs3)=6774', > processed='global(payload_reallocs)=528', processed='source(s_sys)=788', > processed='destination(d_mesg)=272', processed='global(msg_clones)=0', > processed='src.internal(s_sys#2)=272', > stamp='src.internal(s_sys#2)=1317312010', processed='destination(d_kern)=0', > processed='destination(d_mlal)=0', processed='destination(d_cron)=483', > dropped='dst.udp(d_messages#0,10.13.33.11:514)=0', > processed='dst.udp(d_messages#0,10.1.3.11:514)=73317', > stored='dst.udp(d_messages#0,10.1.3.11:514)=0', > processed='global(sdata_updates)=0', processed='destination(d_auth)=29', > processed='destination(d_boot)=0', processed='source(s_file_hr1)=10470', > processed='center(received)=0', processed='source(s_file_fs1)=13899', > processed='destination(d_messages)=73317', > processed='source(s_file_hr2)=10305', processed='center(queued)=0', > processed='source(s_file_fs2)=8202', processed='source(s_file_hr3)=23667' > > --END OF NOTIFICATION > > I put this in the local-rules.xml but it doesn't seem to be working > > <rule id="100304" level="0"> > > <match>Non standard syslog message</match> > > <if_sid>1003</if_sid> > > </rule> > Any help would be great. > Thanks >
