How do I get OSSEC to ignore a specific textual alert and not show it in the alerts file? I know I can create a local_rules.xml file and get it to ignore a specific rule but I need something more specific than that.
This is the alert that I see in the alerts file (/var/ossec/logs/alerts/alerts.log): ** Alert 1464690578.111537: mail - ossec,rootcheck, 2016 May 31 11:29:38 (XYZabc02) any->rootcheck Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' File '/dev/.blkid.tab.old' present on /dev. Possible hidden file. So I would like OSSEC to not show the above alert in the alerts file. Is there a way to do that? More generally is there a way to whitelist specific alerts so they don't show up in the alerts file. I see that the guy here has the same problem but his solution does not work: https://botbot.me/freenode/ossec/2016-03-01/?tz=America/Los_Angeles Cheers, Tahir -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
