On Oct 9, 2013 8:11 PM, "Jeff Allison" <[email protected]> wrote: > > I obviously have the wrong end of the stick here. > > In our environment all of our *nix boxes log to a central server, and we monitor the logs there. > > We have a box "prodbio2" which is not long for this world and is generating a lot of logs that we don't want. > > IE... > > Oct 10 11:06:02 prodbio2 last message repeated 2 times > Oct 10 11:06:02 prodbio2 kernel: link number 0 > Oct 10 11:06:02 prodbio2 last message repeated 2 times > Oct 10 11:06:02 prodbio2 kernel: dram scrub error > Oct 10 11:06:02 prodbio2 last message repeated 2 times > Oct 10 11:06:02 prodbio2 kernel: corrected ecc error > Oct 10 11:06:02 prodbio2 last message repeated 2 times > Oct 10 11:06:02 prodbio2 kernel: previous error lost > Oct 10 11:06:02 prodbio2 last message repeated 2 times > Oct 10 11:06:02 prodbio2 kernel: NB error address 00000001d8c17750 > Oct 10 11:06:02 prodbio2 last message repeated 2 times > Oct 10 11:06:31 prodbio2 kernel: CPU 1: Silent Northbridge MCE > Oct 10 11:06:31 prodbio2 last message repeated 2 times > Oct 10 11:06:31 prodbio2 kernel: Northbridge status 94014000:00080a13 > Oct 10 11:06:31 prodbio2 last message repeated 2 times > Oct 10 11:06:31 prodbio2 kernel: Error chipkill ecc error > Oct 10 11:06:31 prodbio2 last message repeated 2 times > Oct 10 11:06:31 prodbio2 kernel: ECC error syndrome 2 > Oct 10 11:06:31 prodbio2 last message repeated 2 times > Oct 10 11:06:32 prodbio2 kernel: bus error local node response, request didn't time out > Oct 10 11:06:32 prodbio2 last message repeated 2 times > Oct 10 11:06:32 prodbio2 kernel: link number 0 > Oct 10 11:06:32 prodbio2 last message repeated 2 times > Oct 10 11:06:32 prodbio2 kernel: corrected ecc error > Oct 10 11:06:32 prodbio2 last message repeated 2 times > Oct 10 11:06:32 prodbio2 kernel: previous error lost > Oct 10 11:06:32 prodbio2 last message repeated 2 times > Oct 10 11:06:32 prodbio2 kernel: NB error address 000000010fa199a0 > Oct 10 11:06:32 prodbio2 last message repeated 2 times > > These generate logs like below that I don't care about so I want to ignore them. > > OSSEC HIDS Notification. > 2013 Oct 10 11:03:06 > > Received From: prodbio2->/mnt/syslogs/messages > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > Portion of the log(s): > > Oct 10 11:04:01 prodbio2 kernel: ECC error syndrome 8 > > I have the following in my local_rules.xml > > <rule id="100040" level="0"> > <if_sid>1002</if_sid> > <match>prodbio2</match>
prodbio2 doesn't appear in the body of the log messagw, only in the header. Try hostname instead of match. > <description>List of rules to be ignored.</description> > <options>no_log</options> > </rule> > > To filter them out, they don't. > > So what am I doing wrong? > > I presumably have got the wrong end of the stick somewhere, but where I have no idea. > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
