On Wed, May 15, 2013 at 11:03 AM, OSSEC junkie <[email protected]> wrote: > Thank you both for the reply, I created this rule: > <rule id="18152" level="0"> > <if_sid>18456</if_sid> > <match>svc_vesx</match> > <options>no_email_alert</options> > <description>Ignore svc_vcenter spam</description> > </rule> > > from the log entry: > Received From: (DB01.DOMAIN) 192.168.0.100->WinEvtLog > Rule: 18152 fired (level 10) -> "Multiple Windows Logon Failures." > Portion of the log(s): > > WinEvtLog: Application: AUDIT_FAILURE(18456): MSSQLSERVER: svc_vesx: ABC: > DB01.DOMAIN: Login failed for user 'ABC\svc_vesx'. Reason: Failed to open > the explicitly specified database. [CLIENT: 10.5.115.15] > WinEvtLog: Application: AUDIT_FAILURE(18456): MSSQLSERVER: svc_vesx: ABC: > DB01.DOMAIN: Login failed for user 'ABC\svc_vesx'. Reason: Failed to open > the explicitly specified database. [CLIENT: 10.5.115.15] > WinEvtLog: Application: AUDIT_FAILURE(18456): MSSQLSERVER: svc_vesx: ABC: > DB01.DOMAIN: Login failed for user 'ABC\svc_vesx'. Reason: Failed to open > the explicitly specified database. [CLIENT: 10.5.115.15] > WinEvtLog: Application: AUDIT_FAILURE(18456): MSSQLSERVER: svc_vesx: ABC: > DB01.DOMAIN: Login failed for user 'ABC\svc_vesx'. Reason: Failed to open > the explicitly specified database. [CLIENT: 10.5.115.15] > WinEvtLog: Application: AUDIT_FAILURE(18456): MSSQLSERVER: svc_vesx: ABC: > DB01.DOMAIN: Login failed for user 'ABC\svc_vesx'. Reason: Failed to open > the explicitly specified database. [CLIENT: 10.5.115.15] > WinEvtLog: Application: AUDIT_FAILURE(18456): MSSQLSERVER: svc_vesx: ABC: > DB01.DOMAIN: Login failed for user 'ABC\svc_vesx'. Reason: Failed to open > the explicitly specified database. [CLIENT: 10.5.115.15] > WinEvtLog: Application: AUDIT_FAILURE(18456): MSSQLSERVER: svc_vesx: ABC: > DB01.DOMAIN: Login failed for user 'ABC\svc_vesx'. Reason: Failed to open > the explicitly specified database. [CLIENT: 10.5.115.15] > > When I attempt to save, I get this message in ossec.log > 2013/05/15 07:58:53 rules_op: Invalid root element "rule".Only "group" is > allowed > 2013/05/15 07:58:53 ossec-testrule(1220): ERROR: Error loading the rules: > 'local_rules.xml'. > 2013/05/15 08:00:36 ossec-testrule: INFO: Reading local decoder file. > 2013/05/15 08:00:36 rules_op: Invalid root element "rule".Only "group" is > allowed > 2013/05/15 08:00:36 ossec-testrule(1220): ERROR: Error loading the rules: > 'local_rules.xml'. > > Any ideas? >
Make sure your rule is inside of the "<group>" and "</group>" tags. > > On Wed, May 15, 2013 at 6:27 AM, dan (ddp) <[email protected]> wrote: >> >> On Tue, May 14, 2013 at 6:30 PM, OSSEC junkie <[email protected]> >> wrote: >> > Is there a way to ignore an alert from a particular user? We have an >> > ESX >> > environment with a service account that is a bit buggy. It's sending >> > invalid login attempts by the thousands on a daily basis. Is it >> > possible >> > to configure OSSEC to ignore any rule created by "svc_vesx" but still >> > log >> > invalid login attempts as expected? >> > >> > I would think it is but want to get the expert opinion. Thanks! >> > >> >> Without seeing the log message, and how it's decoded, I'll go with "yes." >> >> <rule id="blahblah" level="0"> >> <if_sid>whatever_is_flooding</if_sid> >> <user>USER</user> >> </rule> >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
