I'm trying to ignore an NRPE ssl handhshake alert while I wait for the responsible team to resolve it.
Here is a sample alert: OSSEC HIDS Notification. > 2016 Apr 16 18:06:17 > Received From: (some_host) some_ip->/var/log/messages > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > Portion of the log(s): > Apr 16 18:06:16 some_host nrpe[12791]: Error: Could not complete SSL > handshake. 5 > > > --END OF NOTIFICATION Here is the rule I have created in my local_rules.xml config. <group name="local,syslog,"> > <rule id="100000" level="0"> > <if_sid>1002</if_sid> > <program_name>nrpe</program_name> > <options>no_email_alert</options> > <match>Could not complete SSL handshake</match> > <description>Ignore nrpe ssl handshake errors</description> > </rule> > </group> <!-- SYSLOG,LOCAL --> This still does not seem to be working. I've tried alerting the rule by dropping program name and options. I've restarted the OSSEC daemon on the server after every change. Could anyone point me in the right direction? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
