I obviously have the wrong end of the stick here.
In our environment all of our *nix boxes log to a central server, and we
monitor the logs there.
We have a box "prodbio2" which is not long for this world and is generating
a lot of logs that we don't want.
IE...
Oct 10 11:06:02 prodbio2 last message repeated 2 times
Oct 10 11:06:02 prodbio2 kernel: link number 0
Oct 10 11:06:02 prodbio2 last message repeated 2 times
Oct 10 11:06:02 prodbio2 kernel: dram scrub error
Oct 10 11:06:02 prodbio2 last message repeated 2 times
Oct 10 11:06:02 prodbio2 kernel: corrected ecc error
Oct 10 11:06:02 prodbio2 last message repeated 2 times
Oct 10 11:06:02 prodbio2 kernel: previous error lost
Oct 10 11:06:02 prodbio2 last message repeated 2 times
Oct 10 11:06:02 prodbio2 kernel: NB error address 00000001d8c17750
Oct 10 11:06:02 prodbio2 last message repeated 2 times
Oct 10 11:06:31 prodbio2 kernel: CPU 1: Silent Northbridge MCE
Oct 10 11:06:31 prodbio2 last message repeated 2 times
Oct 10 11:06:31 prodbio2 kernel: Northbridge status 94014000:00080a13
Oct 10 11:06:31 prodbio2 last message repeated 2 times
Oct 10 11:06:31 prodbio2 kernel: Error chipkill ecc error
Oct 10 11:06:31 prodbio2 last message repeated 2 times
Oct 10 11:06:31 prodbio2 kernel: ECC error syndrome 2
Oct 10 11:06:31 prodbio2 last message repeated 2 times
Oct 10 11:06:32 prodbio2 kernel: bus error local node response, request
didn't time out
Oct 10 11:06:32 prodbio2 last message repeated 2 times
Oct 10 11:06:32 prodbio2 kernel: link number 0
Oct 10 11:06:32 prodbio2 last message repeated 2 times
Oct 10 11:06:32 prodbio2 kernel: corrected ecc error
Oct 10 11:06:32 prodbio2 last message repeated 2 times
Oct 10 11:06:32 prodbio2 kernel: previous error lost
Oct 10 11:06:32 prodbio2 last message repeated 2 times
Oct 10 11:06:32 prodbio2 kernel: NB error address 000000010fa199a0
Oct 10 11:06:32 prodbio2 last message repeated 2 times
These generate logs like below that I don't care about so I want to ignore
them.
OSSEC HIDS Notification.
2013 Oct 10 11:03:06
Received From: prodbio2->/mnt/syslogs/messages
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
Oct 10 11:04:01 prodbio2 kernel: ECC error syndrome 8
I have the following in my local_rules.xml
<rule id="100040" level="0">
<if_sid>1002</if_sid>
<match>prodbio2</match>
<description>List of rules to be ignored.</description>
<options>no_log</options>
</rule>
To filter them out, they don't.
So what am I doing wrong?
I presumably have got the wrong end of the stick somewhere, but where I
have no idea.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
