Oh, I understand, thanks a lot! (I thought match would match ANYTHING on the logline.) I made it work using this code:
<rule id="100003" level="0"> <if_sid>1002</if_sid> <program_name>pptpd</program_name> <description>Ignore pptpd stuff.</description> </rule> Am Donnerstag, 26. September 2013 16:01:33 UTC+2 schrieb dan (ddpbsd): > > On Thu, Sep 26, 2013 at 6:26 AM, <[email protected] <javascript:>> > wrote: > > Hi all, > > > > I have a stupid question, I get Alerts from this log entry: > > > > Sep 24 18:02:54 test6 pptpd[22030]: CTRL: EOF or bad error reading ctrl > > packet length. > > > > > > Although I have configured this in my local_rules.xml: > > > > <group name="local,syslog,"> > > <rule id="100003" level="0"> > > <if_sid>1002</if_sid> > > <match>pptpd</match> > > <description>Ignore pptpd stuff.</description> > > </rule> > > </group> > > > > > > (OSSEC restarted already). This is what logtest says: > > > > root@test6:/var/ossec/bin# ./ossec-logtest > > 2013/09/26 10:15:36 ossec-testrule: INFO: Reading local decoder file. > > 2013/09/26 10:15:36 ossec-testrule: INFO: Started (pid: 605). > > ossec-testrule: Type one log per line. > > > > Sep 24 18:02:54 test6 pptpd[22030]: CTRL: EOF or bad error reading ctrl > > packet length. > > > > > > **Phase 1: Completed pre-decoding. > > full event: 'Sep 24 18:02:54 test6 pptpd[22030]: CTRL: EOF or bad > > error reading ctrl packet length.' > > hostname: 'test6' > > program_name: 'pptpd' > > log: 'CTRL: EOF or bad error reading ctrl packet length.' > > > > pptpd does not exist in the "log" entry above, so it won't be able to > match. > > > **Phase 2: Completed decoding. > > No decoder matched. > > > > **Phase 3: Completed filtering (rules). > > Rule id: '1002' > > Level: '2' > > Description: 'Unknown problem somewhere in the system.' > > **Alert to be generated. > > > > > > > > Any idea what I might miss here? > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
