Hey
I've been getting an alert that I want to filter out; basically, a bogus
syslog message. I create a new rule in .../rules/local_rules.xml thusly:
<rule id="100000" level="1">
<if_sid>1002</if_sid>
<match>polkitd.*</match>
<description>Meaningless syslog message. Logging...</description>
</rule>
Even after restarting ossec, a logtest session doesn't show this rule
getting kicked off. The logtest output is shown below. This seems like it
should be pretty easy so I must be missing something that's blindingly
obvious... Any help is greatly appreciated...
Doug O'Leary
# ossec-logtest
2012/08/24 14:18:14 ossec-testrule: INFO: Reading local decoder file.
2012/08/24 14:18:14 ossec-testrule: INFO: Started (pid: 27877).
ossec-testrule: Type one log per line.
Aug 24 09:59:18 myhost01 polkitd(authority=local): Operator of
unix-session:/org/freedesktop/ConsoleKit/Session6 FAILED to authenticate to
gain authorization for action
org.freedesktop.packagekit.system-sources-refresh for
system-bus-name::1.698 [gpk-update-icon] (owned by unix-user:myuser)
**Phase 1: Completed pre-decoding.
full event: 'Aug 24 09:59:18 myhost01 polkitd(authority=local):
Operator of unix-session:/org/freedesktop/ConsoleKit/Session6 FAILED to
authenticate to gain authorization for action
org.freedesktop.packagekit.system-sources-refresh for
system-bus-name::1.698 [gpk-update-icon] (owned by unix-user:myuser)'
hostname: 'myhost01'
program_name: '(null)'
log: 'polkitd(authority=local): Operator of
unix-session:/org/freedesktop/ConsoleKit/Session6 FAILED to authenticate to
gain authorization for action
org.freedesktop.packagekit.system-sources-refresh for
system-bus-name::1.698 [gpk-update-icon] (owned by unix-user:myuser)'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
