On Tue, May 31, 2016 at 12:00 PM, Tahir Hafiz <[email protected]> wrote: > How do I get OSSEC to ignore a specific textual alert and not show it in the > alerts file? > I know I can create a local_rules.xml file and get it to ignore a specific > rule but I need something more specific than that. > > This is the alert that I see in the alerts file > (/var/ossec/logs/alerts/alerts.log): > > ** Alert 1464690578.111537: mail - ossec,rootcheck, > 2016 May 31 11:29:38 (XYZabc02) any->rootcheck > Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' > File '/dev/.blkid.tab.old' present on /dev. Possible hidden file. > > > So I would like OSSEC to not show the above alert in the alerts file. > Is there a way to do that? > > More generally is there a way to whitelist specific alerts so they don't > show up in the alerts file. >
Have you tried creating a child rule that looks for "/dev/.blkid.tab.old"? > I see that the guy here has the same problem but his solution does not work: > https://botbot.me/freenode/ossec/2016-03-01/?tz=America/Los_Angeles > > Cheers, > Tahir > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
