On Wed, Apr 18, 2012 at 2:41 PM, sklauminzer <[email protected]> wrote: > After moving rules, there is no change. ossec-logtest gives the > expected result, but we still receive the error on the original rule > from syslog_rules, so the server is not "seeing" the updates, while > log test does. > > At least I'm glad to have gone through the exercise of moving my rules > into local. > > Any other suggestions? >
Not really. It's working just fine for me. Is this a local install or an agent/manager setup? You added these rules to the manager, correct? Did you restart the manager's OSSEC processes after adding these rules? (I modified your rule to be level 10 for this test, but I don't get an alert with it at 0) # tail -f alerts/alerts.log ** Alert 1334775237.54057: mail - ossec, 2012 Apr 18 14:53:57 ix->ossec-monitord Rule: 502 (level 3) -> 'Ossec server started.' ossec: Ossec started. ** Alert 1334775264.54209: - local,syslog, 2012 Apr 18 14:54:24 seahkgxsv01->/var/log/test.log Rule: 100201 (level 10) -> 'Server Manager errors ignore' Apr 10 10:33:35 seahkgxsv01 servermgrd[56468]: - [AccountsRequestHandler(AccountsOpenDirectoryHelpers) openLocalLDAPNodeIfNeeded]: dsLocalLDAP = (null), error = Error Domain=com.apple.OpenDirectory Code=2000 UserInfo=0x1004284a0 "Unable to open Directory node with name /LDAPv3/127.0.0.1." > On Apr 18, 4:52 am, "dan (ddp)" <[email protected]> wrote: >> What happens if you stop modifying syslog_rules.xml and add your rules >> to local_rules.xml? >> >> >> >> >> >> >> >> On Mon, Apr 16, 2012 at 11:59 AM, sklauminzer <[email protected]> wrote: >> > I have modified my syslog_rules.xml to exclude alerts for standard OSX >> > Server error messages and while they work in ossec-logtest they do not >> > alter the alerting policy on the server. >> >> > Rule from syslog_rules: >> >> > <rule id="100201" level="0"> >> > <if_sid>1002</if_sid> >> > <program_name>servermgrd</program_name> >> > <options>no_email_alert</options> >> > <description>Server Manager errors ignore</description> >> > </rule> >> >> > Event log: >> > Apr 10 10:33:35 seahkgxsv01 servermgrd[56468]: - >> > [AccountsRequestHandler(AccountsOpenDirectoryHelpers) >> > openLocalLDAPNodeIfNeeded]: dsLocalLDAP = (null), error = Error >> > Domain=com.apple.OpenDirectory Code=2000 UserInfo=0x1004284a0 "Unable >> > to open Directory node with name /LDAPv3/127.0.0.1." >> >> > ossec-logtest results: >> >> > $sudo /var/ossec/bin/ossec-logtest >> > 2012/04/16 08:51:02 ossec-testrule: INFO: Reading local decoder file. >> > 2012/04/16 08:51:02 ossec-testrule: INFO: Started (pid: 99621). >> > ossec-testrule: Type one log per line. >> >> > Apr 16 08:22:19 seahkgxsv01 servermgrd[95916]: - >> > [AccountsRequestHandler(AccountsOpenDirectoryHelpers) >> > openLocalLDAPNodeIfNeeded]: dsLocalLDAP = (null), error = Error >> > Domain=com.apple.OpenDirectory Code=2000 UserInfo=0x10044a1e0 "Unable >> > to open Directory node with name /LDAPv3/127.0.0.1." >> >> > **Phase 1: Completed pre-decoding. >> > full event: 'Apr 16 08:22:19 seahkgxsv01 servermgrd[95916]: - >> > [AccountsRequestHandler(AccountsOpenDirectoryHelpers) >> > openLocalLDAPNodeIfNeeded]: dsLocalLDAP = (null), error = Error >> > Domain=com.apple.OpenDirectory Code=2000 UserInfo=0x10044a1e0 "Unable >> > to open Directory node with name /LDAPv3/127.0.0.1."' >> > hostname: 'seahkgxsv01' >> > program_name: 'servermgrd' >> > log: '-[AccountsRequestHandler(AccountsOpenDirectoryHelpers) >> > openLocalLDAPNodeIfNeeded]: dsLocalLDAP = (null), error = Error >> > Domain=com.apple.OpenDirectory Code=2000 UserInfo=0x10044a1e0 "Unable >> > to open Directory node with name /LDAPv3/127.0.0.1."' >> >> > **Phase 2: Completed decoding. >> > No decoder matched. >> >> > **Phase 3: Completed filtering (rules). >> > Rule id: '100201' >> > Level: '0' >> > Description: 'Server Manager errors ignore' >> >> > **However** >> >> > This alert is still sent via email: >> >> > OSSEC HIDS Notification. >> > 2012 Apr 16 08:22:19 >> >> > Received From: seahkgxsv01->/var/log/system.log >> > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the >> > system." >> > Portion of the log(s): >> >> > Apr 16 08:22:19 seahkgxsv01 servermgrd[95916]: - >> > [AccountsRequestHandler(AccountsOpenDirectoryHelpers) >> > openLocalLDAPNodeIfNeeded]: dsLocalLDAP = (null), error = Error >> > Domain=com.apple.OpenDirectory Code=2000 UserInfo=0x10044a1e0 "Unable >> > to open Directory node with name /LDAPv3/127.0.0.1." >> >> > --END OF NOTIFICATION >> >> > What I have tried: >> >> > Restart ossec, stop ossec, start ossec. check rule permissions. >> >> > This is happening with all syslog_rules.xml modifications, but >> > msauth_rules.xml mods *are* working. >> >> > My config currently only has a single system on syslog, the local OSX >> > Server running ossec server (and agent)
