Thats interesting.
Thanks a lot!
I did follow your advise and believe i figured it out. had to have
"named" for the program name.
So the working rule filter is:
<group name="syslog">
<rule id="100102" level="0">
<if_sid>1002</if_sid>
<program_name>named</program_name>
<match>error (network unreachable) resolving</match>
<options>no_email_alert</options>
<description>Resolve Events ignored.</description>
</rule>
</group>
[root@targetmyad ~]# /var/ossec/bin/ossec-logtest
2012/01/09 18:28:39 ossec-testrule: INFO: Started (pid: 15978).
ossec-testrule: Type one log per line.
Jan 9 18:10:21 mail01 named[16307]: error (network unreachable)
resolving 'ns1.zurich.surf.net/AAAA/IN': 2001:610:0:800c:
195:169:124:71#53
**Phase 1: Completed pre-decoding.
full event: 'Jan 9 18:10:21 mail01 named[16307]: error
(network unreachable) resolving 'ns1.zurich.surf.net/AAAA/IN':
2001:610:0:800c:195:169:124:71#53'
hostname: 'mail01'
program_name: 'named'
log: 'error (network unreachable) resolving
'ns1.zurich.surf.net/AAAA/IN': 2001:610:0:800c:195:169:124:71#53'
**Phase 2: Completed decoding.
decoder: 'named'
**Phase 3: Completed filtering (rules).
Rule id: '100102'
Level: '0'
Description: 'Resolve Events ignored.'
On Jan 9, 4:42 pm, Stephane Rossan <[email protected]> wrote:
> You should use ossec-logtest and see how this alert is decoded by OSSEC.
> The rule 1002 is usually ran because your error message contains one of the
> keyword of the rule, I believe in this case it is caused by "error".
> I tried against one of my test OSSEC server and got a different result:
> [fimtest100 ~]# /apps/ossec/bin/ossec-logtest
> 2012/01/09 21:39:47 ossec-testrule: INFO: Reading local decoder file.
> 2012/01/09 21:39:48 ossec-testrule: INFO: Started (pid: 20910).
> ossec-testrule: Type one log per line.
>
> Jan 9 12:00:03 mail01 named[16307]: error (network unreachable) resolving
> 'rfc-ignorant.org/DS/IN': 2001:500:48::1#53
>
> **Phase 1: Completed pre-decoding.
> full event: 'Jan 9 12:00:03 mail01 named[16307]: error (network
> unreachable) resolving 'rfc-ignorant.org/DS/IN': 2001:500:48::1#53'
> hostname: 'mail01'
> program_name: 'named'
> log: 'error (network unreachable) resolving 'rfc-ignorant.org/DS/IN':
> 2001:500:48::1#53'
>
> **Phase 2: Completed decoding.
> decoder: 'named'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '12100'
> Level: '0'
> Description: 'Grouping of the named rules'
>
> I have an OSSEC 2.6 version installed.
>
> -Stephane
>
> From: Scott <[email protected]<mailto:[email protected]>>
> Reply-To: <[email protected]<mailto:[email protected]>>
> Date: Mon, 9 Jan 2012 12:05:48 -0500
> To: <[email protected]<mailto:[email protected]>>
> Subject: [ossec-list] rule 1002 problem... did i completely miss something?
>
> Jan 9 12:00:03 mail01 named[16307]: error (network unreachable) resolving
> 'rfc-ignorant.org/DS/IN<http://rfc-ignorant.org/DS/IN>': 2001:500:48::1#53
