On Tue, Jan 6, 2015 at 6:03 AM, Fred974 <[email protected]> wrote: > Hi Dan, > > Is there any chances, you could give me simple example please? > Is this rule any good for my need? > > <group name="mygroup"> > <rule id="100002" level="0"> > <if_sid>31101</if_sid> > </rule> > <rule id="100004" level="2"> > <if_sid>1002</if_sid> > <description>do not send by email</description>
This rule is a bad idea. Maybe something closer to (totally untested): <rule id="ID" level="0"> <if_sid>1002</if_sid> <program_name>^smtpd</program_name> <match>Connection failed: No route to host</match> <description>Ignore no route to host errors</description> </rule> > </rule> > </group> > > Thank you > Fred > > Hi Dan, > > Is there any chances, you could give me simple example please? > Is this rule any good for my need? > > <group name="mygroup"> > <rule id="100002" level="0"> > <if_sid>31101</if_sid> > </rule> > <rule id="100004" level="2"> > <if_sid>1002</if_sid> > <description>do not send by email</description> > </rule> > </group> > > Thank you > > F > Hi Dan, > > Is there any chances, you could give me simple example please? > > > > On Friday, 2 January 2015 13:49:28 UTC, Fred974 wrote: >> >> Hi, >> >> I keep receiving an email with the following content: >> >>> OSSEC HIDS Notification. >>> 2015 Jan 02 12:00:01 >>> >>> Received From: trinity->/var/log/maillog >>> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." >>> Portion of the log(s): >>> >>> Jan 2 12:00:00 trinity smtpd[1161]: smtp-out: Error on session >>> 07918989899b62f0: Connection failed: No route to host >>> >>> >>> >>> --END OF NOTIFICATION >> >> >> I read that If OSSEC receives a log that it doesn't know how to decode it >> will generate an event 1002 - "Unknown problem somewhere in the system" >> The solution is to configure a minimal decoder to identify a unique field >> within the log so that OSSEC no longer considers the log unknown. >> >> Could someone please help me to understand how to apply this solution? >> I'll appreciate a simple example to get me on track. >> >> Thank you >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
