On Fri, Jan 20, 2012 at 3:38 PM, upen <[email protected]> wrote: > Hello, > > I get below alert in the email, > > OSSEC HIDS Notification. > 2012 Jan 20 14:34:08 > > Received From: myhost->/var/log/messages > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the > system." > Portion of the log(s): > Jan 20 14:34:06 myhost abrtd: Corrupted or bad dump /var/spool/abrt/ > ccpp-2012-01-20-14:34:06-30813 (res:2), deleting > > ### > > So, in order to avoid getting alerted I added below configuration > lines in /var/ossec/rules/local_rules.xml > > <rule id="100041" level="2"> > <if_sid>1002</if_sid> > <options>no_email_alert</options> > <regex>abrtd</regex>
Why use <regex> if you aren't using any regex? > <description>Unknown problem somewhere in the system.</ > description> > </rule> > > Saved file, restarted ossec service. I still get those alerts. Can > someone tell me correct way to avoid these alerts? > > Thanks, > UG <rule id="blahblahblah" level="0"> <if_sid>1002</if_sid> <program_name>abrtd</program_name> <match>^Corrupted or bad dump</match> <description>Ignore corrupted or bad dumps.</description> </rule>
