On Thu, Sep 26, 2013 at 6:26 AM, <[email protected]> wrote: > Hi all, > > I have a stupid question, I get Alerts from this log entry: > > Sep 24 18:02:54 test6 pptpd[22030]: CTRL: EOF or bad error reading ctrl > packet length. > > > Although I have configured this in my local_rules.xml: > > <group name="local,syslog,"> > <rule id="100003" level="0"> > <if_sid>1002</if_sid> > <match>pptpd</match> > <description>Ignore pptpd stuff.</description> > </rule> > </group> > > > (OSSEC restarted already). This is what logtest says: > > root@test6:/var/ossec/bin# ./ossec-logtest > 2013/09/26 10:15:36 ossec-testrule: INFO: Reading local decoder file. > 2013/09/26 10:15:36 ossec-testrule: INFO: Started (pid: 605). > ossec-testrule: Type one log per line. > > Sep 24 18:02:54 test6 pptpd[22030]: CTRL: EOF or bad error reading ctrl > packet length. > > > **Phase 1: Completed pre-decoding. > full event: 'Sep 24 18:02:54 test6 pptpd[22030]: CTRL: EOF or bad > error reading ctrl packet length.' > hostname: 'test6' > program_name: 'pptpd' > log: 'CTRL: EOF or bad error reading ctrl packet length.' >
pptpd does not exist in the "log" entry above, so it won't be able to match. > **Phase 2: Completed decoding. > No decoder matched. > > **Phase 3: Completed filtering (rules). > Rule id: '1002' > Level: '2' > Description: 'Unknown problem somewhere in the system.' > **Alert to be generated. > > > > Any idea what I might miss here? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
