Your rule triggers for me when I test it (on v2.8.3), so the problem is likely not with your rule. It is worth noting however that the "<options>no_email_alert</options>" is redundant in this case, because the rule level is set to zero.
What is the output of ossec-logtest, using the line from your sample alert? No errors in your ossec.log on the server? Are other rules in your local_rules.xml working? From: [email protected] [mailto:[email protected]] On Behalf Of James Stallings Sent: Saturday, April 16, 2016 3:42 PM To: ossec-list <[email protected]> Subject: [ossec-list] Rule 1002 continues to fire after creating local overwriting rule I'm trying to ignore an NRPE ssl handhshake alert while I wait for the responsible team to resolve it. Here is a sample alert: OSSEC HIDS Notification. 2016 Apr 16 18:06:17 Received From: (some_host) some_ip->/var/log/messages Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." Portion of the log(s): Apr 16 18:06:16 some_host nrpe[12791]: Error: Could not complete SSL handshake. 5 --END OF NOTIFICATION Here is the rule I have created in my local_rules.xml config. <group name="local,syslog,"> <rule id="100000" level="0"> <if_sid>1002</if_sid> <program_name>nrpe</program_name> <options>no_email_alert</options> <match>Could not complete SSL handshake</match> <description>Ignore nrpe ssl handshake errors</description> </rule> </group> <!-- SYSLOG,LOCAL --> This still does not seem to be working. I've tried alerting the rule by dropping program name and options. I've restarted the OSSEC daemon on the server after every change. Could anyone point me in the right direction? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
