On Mon, Jun 29, 2015 at 2:07 PM, Farnsworth, Robert <[email protected]> wrote: > Hi, > > > > I am trying to suppress this alert - multipathd: sdc: failed to get sysfs > information > > > > Received From: (Host) 10.xx.xx.xx->/var/log/messages > > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > > Portion of the log(s): > > > > Jun 29 13:48:57 host multipathd: sdc: failed to get sysfs information > > > > > > I have added the following rule to my local.rule file. Can you give me any > idea what I am doing wrong? > > > > <!-- 100054 Unknown problem somewhere in the system --> > > <rule id="100054" level="0"> > > <if_sid>1002</if_sid> > > <match>multipathd: sd*: failed to get sysfs information</match> >
"sd*" does not appear in the log message. If you actually mean "sd" followed by any character, use a regex instead: <regex>multipathd: sd\d+: failed to get sysfs information</regex> > <description>Events ignored</description> > > </rule> > > > > Thanks > > > > Robert > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
