Hello,
I get below alert in the email,
OSSEC HIDS Notification.
2012 Jan 20 14:34:08
Received From: myhost->/var/log/messages
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the
system."
Portion of the log(s):
Jan 20 14:34:06 myhost abrtd: Corrupted or bad dump /var/spool/abrt/
ccpp-2012-01-20-14:34:06-30813 (res:2), deleting
###
So, in order to avoid getting alerted I added below configuration
lines in /var/ossec/rules/local_rules.xml
<rule id="100041" level="2">
<if_sid>1002</if_sid>
<options>no_email_alert</options>
<regex>abrtd</regex>
<description>Unknown problem somewhere in the system.</
description>
</rule>
Saved file, restarted ossec service. I still get those alerts. Can
someone tell me correct way to avoid these alerts?
Thanks,
UG
