MyBad seemed to need ^ <hostname>^prodbio2</hostname>
and it works. Thanks On 10 October 2013 11:33, Jeff Allison <[email protected]> wrote: > OK tried that didn't work. > > <rule id="100040" level="0"> > <if_sid>1002</if_sid> > <hostname>prodbio2</hostname> > <description>List of rules to be ignored.</description> > <options>no_log</options> > </rule> > > Is hostname a valid tag I cannot see it here --> > http://www.ossec.net/doc/syntax/head_rules.html > > > On 10 October 2013 11:13, dan (ddp) <[email protected]> wrote: > >> >> On Oct 9, 2013 8:11 PM, "Jeff Allison" <[email protected]> >> wrote: >> > >> > I obviously have the wrong end of the stick here. >> > >> > In our environment all of our *nix boxes log to a central server, and >> we monitor the logs there. >> > >> > We have a box "prodbio2" which is not long for this world and is >> generating a lot of logs that we don't want. >> > >> > IE... >> > >> > Oct 10 11:06:02 prodbio2 last message repeated 2 times >> > Oct 10 11:06:02 prodbio2 kernel: link number 0 >> > Oct 10 11:06:02 prodbio2 last message repeated 2 times >> > Oct 10 11:06:02 prodbio2 kernel: dram scrub error >> > Oct 10 11:06:02 prodbio2 last message repeated 2 times >> > Oct 10 11:06:02 prodbio2 kernel: corrected ecc error >> > Oct 10 11:06:02 prodbio2 last message repeated 2 times >> > Oct 10 11:06:02 prodbio2 kernel: previous error lost >> > Oct 10 11:06:02 prodbio2 last message repeated 2 times >> > Oct 10 11:06:02 prodbio2 kernel: NB error address 00000001d8c17750 >> > Oct 10 11:06:02 prodbio2 last message repeated 2 times >> > Oct 10 11:06:31 prodbio2 kernel: CPU 1: Silent Northbridge MCE >> > Oct 10 11:06:31 prodbio2 last message repeated 2 times >> > Oct 10 11:06:31 prodbio2 kernel: Northbridge status 94014000:00080a13 >> > Oct 10 11:06:31 prodbio2 last message repeated 2 times >> > Oct 10 11:06:31 prodbio2 kernel: Error chipkill ecc error >> > Oct 10 11:06:31 prodbio2 last message repeated 2 times >> > Oct 10 11:06:31 prodbio2 kernel: ECC error syndrome 2 >> > Oct 10 11:06:31 prodbio2 last message repeated 2 times >> > Oct 10 11:06:32 prodbio2 kernel: bus error local node response, >> request didn't time out >> > Oct 10 11:06:32 prodbio2 last message repeated 2 times >> > Oct 10 11:06:32 prodbio2 kernel: link number 0 >> > Oct 10 11:06:32 prodbio2 last message repeated 2 times >> > Oct 10 11:06:32 prodbio2 kernel: corrected ecc error >> > Oct 10 11:06:32 prodbio2 last message repeated 2 times >> > Oct 10 11:06:32 prodbio2 kernel: previous error lost >> > Oct 10 11:06:32 prodbio2 last message repeated 2 times >> > Oct 10 11:06:32 prodbio2 kernel: NB error address 000000010fa199a0 >> > Oct 10 11:06:32 prodbio2 last message repeated 2 times >> > >> > These generate logs like below that I don't care about so I want to >> ignore them. >> > >> > OSSEC HIDS Notification. >> > 2013 Oct 10 11:03:06 >> > >> > Received From: prodbio2->/mnt/syslogs/messages >> > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." >> > Portion of the log(s): >> > >> > Oct 10 11:04:01 prodbio2 kernel: ECC error syndrome 8 >> > >> > I have the following in my local_rules.xml >> > >> > <rule id="100040" level="0"> >> > <if_sid>1002</if_sid> >> > <match>prodbio2</match> >> >> prodbio2 doesn't appear in the body of the log messagw, only in the >> header. Try hostname instead of match. >> >> > <description>List of rules to be ignored.</description> >> > <options>no_log</options> >> > </rule> >> > >> > To filter them out, they don't. >> > >> > So what am I doing wrong? >> > >> > I presumably have got the wrong end of the stick somewhere, but where I >> have no idea. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
