level 0 should be enough. On Wed, Oct 9, 2013 at 9:01 PM, Jeff Allison <[email protected]> wrote: > Do I need the > > <options>no_log</options> > > or is level=0 enough? > > <rule id="100040" level="0"> > > > > On 10 October 2013 11:37, Jeff Allison <[email protected]> wrote: >> >> MyBad seemed to need ^ >> >> <hostname>^prodbio2</hostname> >> >> and it works. >> >> Thanks >> >> >> On 10 October 2013 11:33, Jeff Allison <[email protected]> >> wrote: >>> >>> OK tried that didn't work. >>> >>> <rule id="100040" level="0"> >>> <if_sid>1002</if_sid> >>> <hostname>prodbio2</hostname> >>> <description>List of rules to be ignored.</description> >>> <options>no_log</options> >>> </rule> >>> >>> Is hostname a valid tag I cannot see it here --> >>> http://www.ossec.net/doc/syntax/head_rules.html >>> >>> >>> On 10 October 2013 11:13, dan (ddp) <[email protected]> wrote: >>>> >>>> >>>> On Oct 9, 2013 8:11 PM, "Jeff Allison" <[email protected]> >>>> wrote: >>>> > >>>> > I obviously have the wrong end of the stick here. >>>> > >>>> > In our environment all of our *nix boxes log to a central server, and >>>> > we monitor the logs there. >>>> > >>>> > We have a box "prodbio2" which is not long for this world and is >>>> > generating a lot of logs that we don't want. >>>> > >>>> > IE... >>>> > >>>> > Oct 10 11:06:02 prodbio2 last message repeated 2 times >>>> > Oct 10 11:06:02 prodbio2 kernel: link number 0 >>>> > Oct 10 11:06:02 prodbio2 last message repeated 2 times >>>> > Oct 10 11:06:02 prodbio2 kernel: dram scrub error >>>> > Oct 10 11:06:02 prodbio2 last message repeated 2 times >>>> > Oct 10 11:06:02 prodbio2 kernel: corrected ecc error >>>> > Oct 10 11:06:02 prodbio2 last message repeated 2 times >>>> > Oct 10 11:06:02 prodbio2 kernel: previous error lost >>>> > Oct 10 11:06:02 prodbio2 last message repeated 2 times >>>> > Oct 10 11:06:02 prodbio2 kernel: NB error address 00000001d8c17750 >>>> > Oct 10 11:06:02 prodbio2 last message repeated 2 times >>>> > Oct 10 11:06:31 prodbio2 kernel: CPU 1: Silent Northbridge MCE >>>> > Oct 10 11:06:31 prodbio2 last message repeated 2 times >>>> > Oct 10 11:06:31 prodbio2 kernel: Northbridge status 94014000:00080a13 >>>> > Oct 10 11:06:31 prodbio2 last message repeated 2 times >>>> > Oct 10 11:06:31 prodbio2 kernel: Error chipkill ecc error >>>> > Oct 10 11:06:31 prodbio2 last message repeated 2 times >>>> > Oct 10 11:06:31 prodbio2 kernel: ECC error syndrome 2 >>>> > Oct 10 11:06:31 prodbio2 last message repeated 2 times >>>> > Oct 10 11:06:32 prodbio2 kernel: bus error local node response, >>>> > request didn't time out >>>> > Oct 10 11:06:32 prodbio2 last message repeated 2 times >>>> > Oct 10 11:06:32 prodbio2 kernel: link number 0 >>>> > Oct 10 11:06:32 prodbio2 last message repeated 2 times >>>> > Oct 10 11:06:32 prodbio2 kernel: corrected ecc error >>>> > Oct 10 11:06:32 prodbio2 last message repeated 2 times >>>> > Oct 10 11:06:32 prodbio2 kernel: previous error lost >>>> > Oct 10 11:06:32 prodbio2 last message repeated 2 times >>>> > Oct 10 11:06:32 prodbio2 kernel: NB error address 000000010fa199a0 >>>> > Oct 10 11:06:32 prodbio2 last message repeated 2 times >>>> > >>>> > These generate logs like below that I don't care about so I want to >>>> > ignore them. >>>> > >>>> > OSSEC HIDS Notification. >>>> > 2013 Oct 10 11:03:06 >>>> > >>>> > Received From: prodbio2->/mnt/syslogs/messages >>>> > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the >>>> > system." >>>> > Portion of the log(s): >>>> > >>>> > Oct 10 11:04:01 prodbio2 kernel: ECC error syndrome 8 >>>> > >>>> > I have the following in my local_rules.xml >>>> > >>>> > <rule id="100040" level="0"> >>>> > <if_sid>1002</if_sid> >>>> > <match>prodbio2</match> >>>> >>>> prodbio2 doesn't appear in the body of the log messagw, only in the >>>> header. Try hostname instead of match. >>>> >>>> > <description>List of rules to be ignored.</description> >>>> > <options>no_log</options> >>>> > </rule> >>>> > >>>> > To filter them out, they don't. >>>> > >>>> > So what am I doing wrong? >>>> > >>>> > I presumably have got the wrong end of the stick somewhere, but where >>>> > I have no idea. >>>> > >>>> > -- >>>> > >>>> > --- >>>> > You received this message because you are subscribed to the Google >>>> > Groups "ossec-list" group. >>>> > To unsubscribe from this group and stop receiving emails from it, send >>>> > an email to [email protected]. >>>> > For more options, visit https://groups.google.com/groups/opt_out. >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/groups/opt_out. >>> >>> >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out.
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
