Hi all,
I have a stupid question, I get Alerts from this log entry:
Sep 24 18:02:54 test6 pptpd[22030]: CTRL: EOF or bad error reading ctrl
packet length.
Although I have configured this in my local_rules.xml:
<group name="local,syslog,">
<rule id="100003" level="0">
<if_sid>1002</if_sid>
<match>pptpd</match>
<description>Ignore pptpd stuff.</description>
</rule>
</group>
(OSSEC restarted already). This is what logtest says:
root@test6:/var/ossec/bin# ./ossec-logtest
2013/09/26 10:15:36 ossec-testrule: INFO: Reading local decoder file.
2013/09/26 10:15:36 ossec-testrule: INFO: Started (pid: 605).
ossec-testrule: Type one log per line.
Sep 24 18:02:54 test6 pptpd[22030]: CTRL: EOF or bad error reading ctrl
packet length.
**Phase 1: Completed pre-decoding.
full event: 'Sep 24 18:02:54 test6 pptpd[22030]: CTRL: EOF or bad
error reading ctrl packet length.'
hostname: 'test6'
program_name: 'pptpd'
log: 'CTRL: EOF or bad error reading ctrl packet length.'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
Any idea what I might miss here?
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
