Do I need the <options>no_log</options>
or is level=0 enough? <rule id="100040" level="0"> On 10 October 2013 11:37, Jeff Allison <[email protected]> wrote: > MyBad seemed to need ^ > > <hostname>^prodbio2</hostname> > > and it works. > > Thanks > > > On 10 October 2013 11:33, Jeff Allison <[email protected]>wrote: > >> OK tried that didn't work. >> >> <rule id="100040" level="0"> >> <if_sid>1002</if_sid> >> <hostname>prodbio2</hostname> >> <description>List of rules to be ignored.</description> >> <options>no_log</options> >> </rule> >> >> Is hostname a valid tag I cannot see it here --> >> http://www.ossec.net/doc/syntax/head_rules.html >> >> >> On 10 October 2013 11:13, dan (ddp) <[email protected]> wrote: >> >>> >>> On Oct 9, 2013 8:11 PM, "Jeff Allison" <[email protected]> >>> wrote: >>> > >>> > I obviously have the wrong end of the stick here. >>> > >>> > In our environment all of our *nix boxes log to a central server, and >>> we monitor the logs there. >>> > >>> > We have a box "prodbio2" which is not long for this world and is >>> generating a lot of logs that we don't want. >>> > >>> > IE... >>> > >>> > Oct 10 11:06:02 prodbio2 last message repeated 2 times >>> > Oct 10 11:06:02 prodbio2 kernel: link number 0 >>> > Oct 10 11:06:02 prodbio2 last message repeated 2 times >>> > Oct 10 11:06:02 prodbio2 kernel: dram scrub error >>> > Oct 10 11:06:02 prodbio2 last message repeated 2 times >>> > Oct 10 11:06:02 prodbio2 kernel: corrected ecc error >>> > Oct 10 11:06:02 prodbio2 last message repeated 2 times >>> > Oct 10 11:06:02 prodbio2 kernel: previous error lost >>> > Oct 10 11:06:02 prodbio2 last message repeated 2 times >>> > Oct 10 11:06:02 prodbio2 kernel: NB error address 00000001d8c17750 >>> > Oct 10 11:06:02 prodbio2 last message repeated 2 times >>> > Oct 10 11:06:31 prodbio2 kernel: CPU 1: Silent Northbridge MCE >>> > Oct 10 11:06:31 prodbio2 last message repeated 2 times >>> > Oct 10 11:06:31 prodbio2 kernel: Northbridge status 94014000:00080a13 >>> > Oct 10 11:06:31 prodbio2 last message repeated 2 times >>> > Oct 10 11:06:31 prodbio2 kernel: Error chipkill ecc error >>> > Oct 10 11:06:31 prodbio2 last message repeated 2 times >>> > Oct 10 11:06:31 prodbio2 kernel: ECC error syndrome 2 >>> > Oct 10 11:06:31 prodbio2 last message repeated 2 times >>> > Oct 10 11:06:32 prodbio2 kernel: bus error local node response, >>> request didn't time out >>> > Oct 10 11:06:32 prodbio2 last message repeated 2 times >>> > Oct 10 11:06:32 prodbio2 kernel: link number 0 >>> > Oct 10 11:06:32 prodbio2 last message repeated 2 times >>> > Oct 10 11:06:32 prodbio2 kernel: corrected ecc error >>> > Oct 10 11:06:32 prodbio2 last message repeated 2 times >>> > Oct 10 11:06:32 prodbio2 kernel: previous error lost >>> > Oct 10 11:06:32 prodbio2 last message repeated 2 times >>> > Oct 10 11:06:32 prodbio2 kernel: NB error address 000000010fa199a0 >>> > Oct 10 11:06:32 prodbio2 last message repeated 2 times >>> > >>> > These generate logs like below that I don't care about so I want to >>> ignore them. >>> > >>> > OSSEC HIDS Notification. >>> > 2013 Oct 10 11:03:06 >>> > >>> > Received From: prodbio2->/mnt/syslogs/messages >>> > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the >>> system." >>> > Portion of the log(s): >>> > >>> > Oct 10 11:04:01 prodbio2 kernel: ECC error syndrome 8 >>> > >>> > I have the following in my local_rules.xml >>> > >>> > <rule id="100040" level="0"> >>> > <if_sid>1002</if_sid> >>> > <match>prodbio2</match> >>> >>> prodbio2 doesn't appear in the body of the log messagw, only in the >>> header. Try hostname instead of match. >>> >>> > <description>List of rules to be ignored.</description> >>> > <options>no_log</options> >>> > </rule> >>> > >>> > To filter them out, they don't. >>> > >>> > So what am I doing wrong? >>> > >>> > I presumably have got the wrong end of the stick somewhere, but where >>> I have no idea. >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> > For more options, visit https://groups.google.com/groups/opt_out. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. >>> >> >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
