Re: [ossec-list] stop alerting rule doesn't work

Fri, 24 Aug 2012 16:06:50 -0700 

Have you tried just matching
polkitd or polkitd\(

On Fri, Aug 24, 2012 at 6:27 PM, Joe Gedeon <[email protected]> wrote:
> Nevermind, I see that it doesn't match program_name in the decoder.
>
> On Fri, Aug 24, 2012 at 6:26 PM, Joe Gedeon <[email protected]> wrote:
>> Why not change match to program_name?
>> <rule id="100000" level="1">
>> <if_sid>1002</if_sid>
>> <program_name>polkitd</program_name>
>> <description>Meaningless syslog message. Logging...</description>
>> </rule>
>>
>> On Fri, Aug 24, 2012 at 4:00 PM, dan (ddp) <[email protected]> wrote:
>>> On Fri, Aug 24, 2012 at 3:59 PM, dkoleary <[email protected]> 
>>> wrote:
>>>> And no joy:
>>>>
>>>> The rule now reads:
>>>>
>>>>
>>>> <rule id="100000" level="1">
>>>>    <if_sid>1002</if_sid>
>>>>    <match>polkitd\.*</match>
>>>
>>> The literal string 'polkitd\.*' does not appear in the log sample you 
>>> provided.
>>>
>>>>
>>>>    <description>Meaningless syslog message. Logging...</description>
>>>> </rule>
>>>>
>>>> and the last stage of the logtest run is still showing:
>>>>
>>>>
>>>> **Phase 3: Completed filtering (rules).
>>>>        Rule id: '1002'
>>>>        Level: '2'
>>>>        Description: 'Unknown problem somewhere in the system.'
>>>> **Alert to be generated.
>>>>
>>>>
>>>> Thanks for any info/hints/tips/suggests.
>>>>
>>>> Doug O'Leary
>>>>
>>>>
>>>> On Friday, August 24, 2012 2:53:20 PM UTC-5, dkoleary wrote:
>>>>>
>>>>>
>>>>>
>>>>>> 'pollkitd.*' appears no where in the log sample you provided below. I
>>>>>> think you are probably thinking:
>>>>>
>>>>>
>>>>> Actually, it does...
>>>>>
>>>>> log: 'polkitd(authority=local)
>>>>>
>>>>> Right there at the beginning of the line; however, I think you pointed out
>>>>> what I was doing wrong... the '.' has to be escaped, from what I read.. 
>>>>> too
>>>>> many regex variants.  I'll give that a try.
>>>>>
>>>>> Thanks.
>>>>>
>>>>>>
>>>>>> <regex>pollkitd\.+</regex> (I can't remember if * works or not and I'm
>>>>>> too lazy to try it out)
>>>>>>
>>>>>
>>>>> Doug O'Leary
>>
>>
>>
>> --
>> Registered Linux User # 379282
>
>
>
> --
> Registered Linux User # 379282



-- 
Registered Linux User # 379282

Reply via email to