On Jan 21, 11:22 am, "dan (ddp)" <[email protected]> wrote: > On Fri, Jan 20, 2012 at 3:38 PM, upen <[email protected]> wrote: > > Hello, > > > I get below alert in the email, > > > OSSEC HIDS Notification. > > 2012 Jan 20 14:34:08 > > > Received From: myhost->/var/log/messages > > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the > > system." > > Portion of the log(s): > > Jan 20 14:34:06 myhost abrtd: Corrupted or bad dump /var/spool/abrt/ > > ccpp-2012-01-20-14:34:06-30813 (res:2), deleting > > > ### > > > So, in order to avoid getting alerted I added below configuration > > lines in /var/ossec/rules/local_rules.xml > > > <rule id="100041" level="2"> > > <if_sid>1002</if_sid> > > <options>no_email_alert</options> > > <regex>abrtd</regex> > > Why use <regex> if you aren't using any regex? > > > <description>Unknown problem somewhere in the system.</ > > description> > > </rule> > > > Saved file, restarted ossec service. I still get those alerts. Can > > someone tell me correct way to avoid these alerts? > > > Thanks, > > UG > > <rule id="blahblahblah" level="0"> > <if_sid>1002</if_sid> > <program_name>abrtd</program_name> > <match>^Corrupted or bad dump</match> > <description>Ignore corrupted or bad dumps.</description>
Thanks Dan. > </rule>
