These 2 threads kind of deal with the issue: http://marc.info/?l=ossec-list&m=129708855302876&w=2 http://marc.info/?l=ossec-list&m=126058307720588&w=2
After thinking about it, I think I see the problem with your rule. Your <match> is trying to match the description of rule 1003. Rule 1003's information is meta-data, and not available. So your match should only try to match information in the original log message. On Thu, Sep 29, 2011 at 1:20 PM, dan (ddp) <[email protected]> wrote: > Have you tried that without the match? > I feel like there was recently a thread about this. Possibly on how to > raise the limit. > > On Thu, Sep 29, 2011 at 12:19 PM, spinman <[email protected]> wrote: >> I am trying to figure out how to disable this email alert and I haven't had >> much luck yet. >> ---Email Alert--- >> >> OSSEC HIDS Notification. >> >> 2011 Sep 29 11:10:10 >> >> Received From: ossec->/var/log/messages >> >> Rule: 1003 fired (level 13) -> "Non standard syslog message (size too >> large)." >> >> Portion of the log(s): >> >> Sep 29 11:10:10 ossec syslog-ng[3992]: Log statistics; >> processed='destination(d_mail)=4', processed='destination(d_spol)=0', >> processed='source(s_file_fs3)=6774', >> processed='global(payload_reallocs)=528', processed='source(s_sys)=788', >> processed='destination(d_mesg)=272', processed='global(msg_clones)=0', >> processed='src.internal(s_sys#2)=272', >> stamp='src.internal(s_sys#2)=1317312010', processed='destination(d_kern)=0', >> processed='destination(d_mlal)=0', processed='destination(d_cron)=483', >> dropped='dst.udp(d_messages#0,10.13.33.11:514)=0', >> processed='dst.udp(d_messages#0,10.1.3.11:514)=73317', >> stored='dst.udp(d_messages#0,10.1.3.11:514)=0', >> processed='global(sdata_updates)=0', processed='destination(d_auth)=29', >> processed='destination(d_boot)=0', processed='source(s_file_hr1)=10470', >> processed='center(received)=0', processed='source(s_file_fs1)=13899', >> processed='destination(d_messages)=73317', >> processed='source(s_file_hr2)=10305', processed='center(queued)=0', >> processed='source(s_file_fs2)=8202', processed='source(s_file_hr3)=23667' >> >> --END OF NOTIFICATION >> >> I put this in the local-rules.xml but it doesn't seem to be working >> >> <rule id="100304" level="0"> >> >> <match>Non standard syslog message</match> >> >> <if_sid>1003</if_sid> >> >> </rule> >> Any help would be great. >> Thanks >> >
