Thanks On Friday, October 11, 2013 1:06:13 AM UTC+11, dan (ddpbsd) wrote: > > level 0 should be enough. > > On Wed, Oct 9, 2013 at 9:01 PM, Jeff Allison > <[email protected] <javascript:>> wrote: > > Do I need the > > > > <options>no_log</options> > > > > or is level=0 enough? > > > > <rule id="100040" level="0"> > > > > > > > > On 10 October 2013 11:37, Jeff Allison > > <[email protected]<javascript:>> > wrote: > >> > >> MyBad seemed to need ^ > >> > >> <hostname>^prodbio2</hostname> > >> > >> and it works. > >> > >> Thanks > >> > >> > >> On 10 October 2013 11:33, Jeff Allison > >> <[email protected]<javascript:>> > > >> wrote: > >>> > >>> OK tried that didn't work. > >>> > >>> <rule id="100040" level="0"> > >>> <if_sid>1002</if_sid> > >>> <hostname>prodbio2</hostname> > >>> <description>List of rules to be ignored.</description> > >>> <options>no_log</options> > >>> </rule> > >>> > >>> Is hostname a valid tag I cannot see it here --> > >>> http://www.ossec.net/doc/syntax/head_rules.html > >>> > >>> > >>> On 10 October 2013 11:13, dan (ddp) <[email protected] <javascript:>> > wrote: > >>>> > >>>> > >>>> On Oct 9, 2013 8:11 PM, "Jeff Allison" > >>>> <[email protected]<javascript:>> > > >>>> wrote: > >>>> > > >>>> > I obviously have the wrong end of the stick here. > >>>> > > >>>> > In our environment all of our *nix boxes log to a central server, > and > >>>> > we monitor the logs there. > >>>> > > >>>> > We have a box "prodbio2" which is not long for this world and is > >>>> > generating a lot of logs that we don't want. > >>>> > > >>>> > IE... > >>>> > > >>>> > Oct 10 11:06:02 prodbio2 last message repeated 2 times > >>>> > Oct 10 11:06:02 prodbio2 kernel: link number 0 > >>>> > Oct 10 11:06:02 prodbio2 last message repeated 2 times > >>>> > Oct 10 11:06:02 prodbio2 kernel: dram scrub error > >>>> > Oct 10 11:06:02 prodbio2 last message repeated 2 times > >>>> > Oct 10 11:06:02 prodbio2 kernel: corrected ecc error > >>>> > Oct 10 11:06:02 prodbio2 last message repeated 2 times > >>>> > Oct 10 11:06:02 prodbio2 kernel: previous error lost > >>>> > Oct 10 11:06:02 prodbio2 last message repeated 2 times > >>>> > Oct 10 11:06:02 prodbio2 kernel: NB error address > 00000001d8c17750 > >>>> > Oct 10 11:06:02 prodbio2 last message repeated 2 times > >>>> > Oct 10 11:06:31 prodbio2 kernel: CPU 1: Silent Northbridge MCE > >>>> > Oct 10 11:06:31 prodbio2 last message repeated 2 times > >>>> > Oct 10 11:06:31 prodbio2 kernel: Northbridge status > 94014000:00080a13 > >>>> > Oct 10 11:06:31 prodbio2 last message repeated 2 times > >>>> > Oct 10 11:06:31 prodbio2 kernel: Error chipkill ecc error > >>>> > Oct 10 11:06:31 prodbio2 last message repeated 2 times > >>>> > Oct 10 11:06:31 prodbio2 kernel: ECC error syndrome 2 > >>>> > Oct 10 11:06:31 prodbio2 last message repeated 2 times > >>>> > Oct 10 11:06:32 prodbio2 kernel: bus error local node response, > >>>> > request didn't time out > >>>> > Oct 10 11:06:32 prodbio2 last message repeated 2 times > >>>> > Oct 10 11:06:32 prodbio2 kernel: link number 0 > >>>> > Oct 10 11:06:32 prodbio2 last message repeated 2 times > >>>> > Oct 10 11:06:32 prodbio2 kernel: corrected ecc error > >>>> > Oct 10 11:06:32 prodbio2 last message repeated 2 times > >>>> > Oct 10 11:06:32 prodbio2 kernel: previous error lost > >>>> > Oct 10 11:06:32 prodbio2 last message repeated 2 times > >>>> > Oct 10 11:06:32 prodbio2 kernel: NB error address > 000000010fa199a0 > >>>> > Oct 10 11:06:32 prodbio2 last message repeated 2 times > >>>> > > >>>> > These generate logs like below that I don't care about so I want to > >>>> > ignore them. > >>>> > > >>>> > OSSEC HIDS Notification. > >>>> > 2013 Oct 10 11:03:06 > >>>> > > >>>> > Received From: prodbio2->/mnt/syslogs/messages > >>>> > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the > >>>> > system." > >>>> > Portion of the log(s): > >>>> > > >>>> > Oct 10 11:04:01 prodbio2 kernel: ECC error syndrome 8 > >>>> > > >>>> > I have the following in my local_rules.xml > >>>> > > >>>> > <rule id="100040" level="0"> > >>>> > <if_sid>1002</if_sid> > >>>> > <match>prodbio2</match> > >>>> > >>>> prodbio2 doesn't appear in the body of the log messagw, only in the > >>>> header. Try hostname instead of match. > >>>> > >>>> > <description>List of rules to be ignored.</description> > >>>> > <options>no_log</options> > >>>> > </rule> > >>>> > > >>>> > To filter them out, they don't. > >>>> > > >>>> > So what am I doing wrong? > >>>> > > >>>> > I presumably have got the wrong end of the stick somewhere, but > where > >>>> > I have no idea. > >>>> > > >>>> > -- > >>>> > > >>>> > --- > >>>> > You received this message because you are subscribed to the Google > >>>> > Groups "ossec-list" group. > >>>> > To unsubscribe from this group and stop receiving emails from it, > send > >>>> > an email to [email protected] <javascript:>. > >>>> > For more options, visit https://groups.google.com/groups/opt_out. > >>>> > >>>> -- > >>>> > >>>> --- > >>>> You received this message because you are subscribed to the Google > >>>> Groups "ossec-list" group. > >>>> To unsubscribe from this group and stop receiving emails from it, > send > >>>> an email to [email protected] <javascript:>. > >>>> For more options, visit https://groups.google.com/groups/opt_out. > >>> > >>> > >> > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
