OK tried that didn't work.
<rule id="100040" level="0">
<if_sid>1002</if_sid>
<hostname>prodbio2</hostname>
<description>List of rules to be ignored.</description>
<options>no_log</options>
</rule>
Is hostname a valid tag I cannot see it here -->
http://www.ossec.net/doc/syntax/head_rules.html
On 10 October 2013 11:13, dan (ddp) <[email protected]> wrote:
>
> On Oct 9, 2013 8:11 PM, "Jeff Allison" <[email protected]>
> wrote:
> >
> > I obviously have the wrong end of the stick here.
> >
> > In our environment all of our *nix boxes log to a central server, and we
> monitor the logs there.
> >
> > We have a box "prodbio2" which is not long for this world and is
> generating a lot of logs that we don't want.
> >
> > IE...
> >
> > Oct 10 11:06:02 prodbio2 last message repeated 2 times
> > Oct 10 11:06:02 prodbio2 kernel: link number 0
> > Oct 10 11:06:02 prodbio2 last message repeated 2 times
> > Oct 10 11:06:02 prodbio2 kernel: dram scrub error
> > Oct 10 11:06:02 prodbio2 last message repeated 2 times
> > Oct 10 11:06:02 prodbio2 kernel: corrected ecc error
> > Oct 10 11:06:02 prodbio2 last message repeated 2 times
> > Oct 10 11:06:02 prodbio2 kernel: previous error lost
> > Oct 10 11:06:02 prodbio2 last message repeated 2 times
> > Oct 10 11:06:02 prodbio2 kernel: NB error address 00000001d8c17750
> > Oct 10 11:06:02 prodbio2 last message repeated 2 times
> > Oct 10 11:06:31 prodbio2 kernel: CPU 1: Silent Northbridge MCE
> > Oct 10 11:06:31 prodbio2 last message repeated 2 times
> > Oct 10 11:06:31 prodbio2 kernel: Northbridge status 94014000:00080a13
> > Oct 10 11:06:31 prodbio2 last message repeated 2 times
> > Oct 10 11:06:31 prodbio2 kernel: Error chipkill ecc error
> > Oct 10 11:06:31 prodbio2 last message repeated 2 times
> > Oct 10 11:06:31 prodbio2 kernel: ECC error syndrome 2
> > Oct 10 11:06:31 prodbio2 last message repeated 2 times
> > Oct 10 11:06:32 prodbio2 kernel: bus error local node response,
> request didn't time out
> > Oct 10 11:06:32 prodbio2 last message repeated 2 times
> > Oct 10 11:06:32 prodbio2 kernel: link number 0
> > Oct 10 11:06:32 prodbio2 last message repeated 2 times
> > Oct 10 11:06:32 prodbio2 kernel: corrected ecc error
> > Oct 10 11:06:32 prodbio2 last message repeated 2 times
> > Oct 10 11:06:32 prodbio2 kernel: previous error lost
> > Oct 10 11:06:32 prodbio2 last message repeated 2 times
> > Oct 10 11:06:32 prodbio2 kernel: NB error address 000000010fa199a0
> > Oct 10 11:06:32 prodbio2 last message repeated 2 times
> >
> > These generate logs like below that I don't care about so I want to
> ignore them.
> >
> > OSSEC HIDS Notification.
> > 2013 Oct 10 11:03:06
> >
> > Received From: prodbio2->/mnt/syslogs/messages
> > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
> > Portion of the log(s):
> >
> > Oct 10 11:04:01 prodbio2 kernel: ECC error syndrome 8
> >
> > I have the following in my local_rules.xml
> >
> > <rule id="100040" level="0">
> > <if_sid>1002</if_sid>
> > <match>prodbio2</match>
>
> prodbio2 doesn't appear in the body of the log messagw, only in the
> header. Try hostname instead of match.
>
> > <description>List of rules to be ignored.</description>
> > <options>no_log</options>
> > </rule>
> >
> > To filter them out, they don't.
> >
> > So what am I doing wrong?
> >
> > I presumably have got the wrong end of the stick somewhere, but where I
> have no idea.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to [email protected].
> > For more options, visit https://groups.google.com/groups/opt_out.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
