I have modified my syslog_rules.xml to exclude alerts for standard OSX
Server error messages and while they work in ossec-logtest they do not
alter the alerting policy on the server.
Rule from syslog_rules:
<rule id="100201" level="0">
<if_sid>1002</if_sid>
<program_name>servermgrd</program_name>
<options>no_email_alert</options>
<description>Server Manager errors ignore</description>
</rule>
Event log:
Apr 10 10:33:35 seahkgxsv01 servermgrd[56468]: -
[AccountsRequestHandler(AccountsOpenDirectoryHelpers)
openLocalLDAPNodeIfNeeded]: dsLocalLDAP = (null), error = Error
Domain=com.apple.OpenDirectory Code=2000 UserInfo=0x1004284a0 "Unable
to open Directory node with name /LDAPv3/127.0.0.1."
ossec-logtest results:
$sudo /var/ossec/bin/ossec-logtest
2012/04/16 08:51:02 ossec-testrule: INFO: Reading local decoder file.
2012/04/16 08:51:02 ossec-testrule: INFO: Started (pid: 99621).
ossec-testrule: Type one log per line.
Apr 16 08:22:19 seahkgxsv01 servermgrd[95916]: -
[AccountsRequestHandler(AccountsOpenDirectoryHelpers)
openLocalLDAPNodeIfNeeded]: dsLocalLDAP = (null), error = Error
Domain=com.apple.OpenDirectory Code=2000 UserInfo=0x10044a1e0 "Unable
to open Directory node with name /LDAPv3/127.0.0.1."
**Phase 1: Completed pre-decoding.
full event: 'Apr 16 08:22:19 seahkgxsv01 servermgrd[95916]: -
[AccountsRequestHandler(AccountsOpenDirectoryHelpers)
openLocalLDAPNodeIfNeeded]: dsLocalLDAP = (null), error = Error
Domain=com.apple.OpenDirectory Code=2000 UserInfo=0x10044a1e0 "Unable
to open Directory node with name /LDAPv3/127.0.0.1."'
hostname: 'seahkgxsv01'
program_name: 'servermgrd'
log: '-[AccountsRequestHandler(AccountsOpenDirectoryHelpers)
openLocalLDAPNodeIfNeeded]: dsLocalLDAP = (null), error = Error
Domain=com.apple.OpenDirectory Code=2000 UserInfo=0x10044a1e0 "Unable
to open Directory node with name /LDAPv3/127.0.0.1."'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '100201'
Level: '0'
Description: 'Server Manager errors ignore'
**However**
This alert is still sent via email:
OSSEC HIDS Notification.
2012 Apr 16 08:22:19
Received From: seahkgxsv01->/var/log/system.log
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the
system."
Portion of the log(s):
Apr 16 08:22:19 seahkgxsv01 servermgrd[95916]: -
[AccountsRequestHandler(AccountsOpenDirectoryHelpers)
openLocalLDAPNodeIfNeeded]: dsLocalLDAP = (null), error = Error
Domain=com.apple.OpenDirectory Code=2000 UserInfo=0x10044a1e0 "Unable
to open Directory node with name /LDAPv3/127.0.0.1."
--END OF NOTIFICATION
What I have tried:
Restart ossec, stop ossec, start ossec. check rule permissions.
This is happening with all syslog_rules.xml modifications, but
msauth_rules.xml mods *are* working.
My config currently only has a single system on syslog, the local OSX
Server running ossec server (and agent)
