Hi! I just started using OSSEC and starting to tailor the rules. In my alerts file, I keep getting this message.
** Alert 1331045533.3270: - ossec,rootcheck, 2012 Mar 06 08:52:13 logger->rootcheck Rule: 516 (level 3) -> 'System Audit event.' System Audit: CIS - Debian Linux 4.16 - Disable standard boot services - MySQL server Enabled. File: /etc/init.d/mysql. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux . The machine legitimately has a MySQL server on it, and I'd like to ignore it for the machine. I have configured the following rule... <rule id="100516" level="0"> <if_sid>516</if_sid> <match>MySQL server Enabled.</match> <description>Ignoring rule 516 - MySQL server</description> </rule> I reran the checks and it didn't flag the MySQL server this time, however, I believe this is a 'global' rule for all the machines OSSEC is on. (I have a server and multiple agents). If I only want this rule to flag on the "logger" machine, can I do something like this? <srcip>127.0.0.1</srcip> Logger's IP is 127.0.0.1. Since the logs show what I named the agent, it makes me think that it won't work....but the documentation says otherwise. Thanks! Mike
