Let's keep things simple for the purposes of troubleshooting. Verify a basic rule works, then you can get as complex as you like. Try using this:
<rule id="100010" level="0"> <if_sid>1002</if_sid> <match>Update peer failed with code 22</match> <description>testing </description> </rule> Also, copy/paste the exact alert message when/if you get one. Be very careful not to replace white space if you are sanitizing the data. It will allow us to corroborate what you are seeing. From: [email protected] [mailto:[email protected]] On Behalf Of Daniel Bray Sent: Wednesday, November 25, 2015 12:20 PM To: ossec-list <[email protected]> Subject: Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2 On Wednesday, November 25, 2015 at 1:46:15 PM UTC-5, LostInThe Tubez wrote: On the OSSEC server, open /var/ossec/rules/syslog_rules.xml. Search for rule 1002, right there towards the top. Note the options element, which contains alert_by_email. That option tells OSSEC to ignore your email_alert_level and just send an email every time this rule matches. As you have seen, rule 1002 is a catch-all heuristics rule that attempts to identify problems in logs based on certain keywords. Thank you, that explains why level 2 alerts are generating the emails for the "BAD_WORDS". I was under the impression that the default level of 7 was for all types of rules, but that is clear now. I'm now left with the feeling of that is the main cause of these alerts coming in, even though I have the filters in local_rules.xml, level 2 alerts are still coming in. Even when logtest shows that it should stop. Here is another simple example of a local_rule working for logtest, but still generating email alerts . /var/ossec/rules/local_rules.xml <rule id="100010" level="0"> <program_name>accelerator</program_name> <regex>Update peer failed with code 22</regex> <description>Ignore Expand Warnings</description> </rule> /var/ossec/bin/ossec-logtest 2015/11/25 19:15:23 ossec-testrule: INFO: Reading local decoder file. 2015/11/25 19:15:24 ossec-testrule: INFO: Started (pid: 6713). ossec-testrule: Type one log per line. Nov 25 19:11:45 x.x.x.x accelerator[4124]: Update peer failed with code 22. **Phase 1: Completed pre-decoding. full event: 'Nov 25 19:11:45 x.x.x.x accelerator[4124]: Update peer failed with code 22.' hostname: 'x.x.x.x' program_name: 'accelerator' log: ' Update peer failed with code 22.' **Phase 2: Completed decoding. No decoder matched. **Phase 3: Completed filtering (rules). Rule id: '100010' Level: '0' Description: 'Ignore Expand Warnings' So, even though logtest shows it will be a Level: '0', I still get an email alert as: Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
