Re: [ossec-list] stop alerting rule doesn't work

Fri, 24 Aug 2012 12:48:26 -0700 

On Fri, Aug 24, 2012 at 3:46 PM, dkoleary <[email protected]> wrote:
> Hey
>
> I've been getting an alert that I want to filter out; basically, a bogus
> syslog message.  I create a new rule in .../rules/local_rules.xml thusly:
>
> <rule id="100000" level="1">
>    <if_sid>1002</if_sid>
>    <match>polkitd.*</match>

'pollkitd.*' appears no where in the log sample you provided below. I
think you are probably thinking:
<regex>pollkitd\.+</regex> (I can't remember if * works or not and I'm
too lazy to try it out)

but I can't be sure.

>    <description>Meaningless syslog message. Logging...</description>
> </rule>
>
> Even after restarting ossec, a logtest session doesn't show this rule
> getting kicked off.  The logtest output is shown below.  This seems like it
> should be pretty easy so I must be missing something that's blindingly
> obvious...  Any help is greatly appreciated...
>
> Doug O'Leary
>
> # ossec-logtest
> 2012/08/24 14:18:14 ossec-testrule: INFO: Reading local decoder file.
> 2012/08/24 14:18:14 ossec-testrule: INFO: Started (pid: 27877).
> ossec-testrule: Type one log per line.
>
> Aug 24 09:59:18 myhost01 polkitd(authority=local): Operator of
> unix-session:/org/freedesktop/ConsoleKit/Session6 FAILED to authenticate to
> gain authorization for action
> org.freedesktop.packagekit.system-sources-refresh for system-bus-name::1.698
> [gpk-update-icon] (owned by unix-user:myuser)
>
>
> **Phase 1: Completed pre-decoding.
>        full event: 'Aug 24 09:59:18 myhost01 polkitd(authority=local):
> Operator of unix-session:/org/freedesktop/ConsoleKit/Session6 FAILED to
> authenticate to gain authorization for action
> org.freedesktop.packagekit.system-sources-refresh for system-bus-name::1.698
> [gpk-update-icon] (owned by unix-user:myuser)'
>        hostname: 'myhost01'
>        program_name: '(null)'
>        log: 'polkitd(authority=local): Operator of
> unix-session:/org/freedesktop/ConsoleKit/Session6 FAILED to authenticate to
> gain authorization for action
> org.freedesktop.packagekit.system-sources-refresh for system-bus-name::1.698
> [gpk-update-icon] (owned by unix-user:myuser)'
>
> **Phase 2: Completed decoding.
>        No decoder matched.
>
> **Phase 3: Completed filtering (rules).
>        Rule id: '1002'
>        Level: '2'
>        Description: 'Unknown problem somewhere in the system.'
> **Alert to be generated.
>
>
>

Reply via email to