This is the first rule I have attempted since inheriting the system/platform.
It is worth noting however that the "<options>no_email_alert</options>" is > redundant in this case, because the rule level is set to zero. Yea, I was grasping at straws here. On Monday, April 18, 2016 at 12:05:54 PM UTC-4, LostInThe Tubez wrote: > > Your rule triggers for me when I test it (on v2.8.3), so the problem is > likely not with your rule. It is worth noting however that the > "<options>no_email_alert</options>" is redundant in this case, because the > rule level is set to zero. > > > > What is the output of ossec-logtest, using the line from your sample > alert? No errors in your ossec.log on the server? Are other rules in your > local_rules.xml working? > > > > > > *From:* [email protected] <javascript:> [mailto: > [email protected] <javascript:>] *On Behalf Of *James Stallings > *Sent:* Saturday, April 16, 2016 3:42 PM > *To:* ossec-list <[email protected] <javascript:>> > *Subject:* [ossec-list] Rule 1002 continues to fire after creating local > overwriting rule > > > > I'm trying to ignore an NRPE ssl handhshake alert while I wait for the > responsible team to resolve it. > > > > Here is a sample alert: > > > > OSSEC HIDS Notification. > 2016 Apr 16 18:06:17 > Received From: (some_host) some_ip->/var/log/messages > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > Portion of the log(s): > Apr 16 18:06:16 some_host nrpe[12791]: Error: Could not complete SSL > handshake. 5 > > > > > --END OF NOTIFICATION > > > > Here is the rule I have created in my local_rules.xml config. > > > > <group name="local,syslog,"> > <rule id="100000" level="0"> > <if_sid>1002</if_sid> > <program_name>nrpe</program_name> > <options>no_email_alert</options> > <match>Could not complete SSL handshake</match> > <description>Ignore nrpe ssl handshake errors</description> > </rule> > </group> <!-- SYSLOG,LOCAL --> > > > > This still does not seem to be working. I've tried alerting the rule by > dropping program name and options. I've restarted the OSSEC daemon on the > server after every change. > > > > Could anyone point me in the right direction? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
