Thanks will give it a try in the local_rules.xml Am I right in thinking that Level 0 still keeps a log in /var/ossec/logs/ossec.log, it's just the alerts file that the log is kept out of?
On Wednesday, 1 June 2016 12:59:42 UTC+1, dan (ddpbsd) wrote: > > On Wed, Jun 1, 2016 at 5:17 AM, Tahir Hafiz <[email protected] > <javascript:>> wrote: > > Creating a child rule like that looks for "/dev/.blkid.tab.old" and > ignores > > it, okay, I am trying to find examples of such things. > > Do you have a link or any examples of such a thing? > > > > The rules files are full of examples. > > > I don't need to create such a rule in local_rules.xml do I? > > > > I think I should create such a rule in ossec_rules.xml where the 510 > rule > > exist. > > Is that correct? > > > > Using local_rules.xml is the best option. The other rule files will > get overwritten during an upgrade, and your changes would be lost. > > Something like (and I haven't tested this or anything): > <rule id="800001" level="0"> > <if_sid>510</if_sid> > <match>/dev/.blkid.tab.old</match> > <description>Ignore /dev/.blkid.tab.old</description> > </rule> > > > > > <rule id="510" level="7"> > > <if_sid>509</if_sid> > > <description>Host-based anomaly detection event > > (rootcheck).</description> > > <group>rootcheck,</group> > > <if_fts /> > > </rule> > > > > Above is the stanza, I will try to add to it by reading this pdf about > > rules: > > http://www.ossec.net/ossec-docs/OSSEC-book-ch4.pdf > > > > > > > > > > On Tuesday, 31 May 2016 17:42:10 UTC+1, dan (ddpbsd) wrote: > >> > >> On Tue, May 31, 2016 at 12:00 PM, Tahir Hafiz <[email protected]> > wrote: > >> > How do I get OSSEC to ignore a specific textual alert and not show it > in > >> > the > >> > alerts file? > >> > I know I can create a local_rules.xml file and get it to ignore a > >> > specific > >> > rule but I need something more specific than that. > >> > > >> > This is the alert that I see in the alerts file > >> > (/var/ossec/logs/alerts/alerts.log): > >> > > >> > ** Alert 1464690578.111537: mail - ossec,rootcheck, > >> > 2016 May 31 11:29:38 (XYZabc02) any->rootcheck > >> > Rule: 510 (level 7) -> 'Host-based anomaly detection event > (rootcheck).' > >> > File '/dev/.blkid.tab.old' present on /dev. Possible hidden file. > >> > > >> > > >> > So I would like OSSEC to not show the above alert in the alerts file. > >> > Is there a way to do that? > >> > > >> > More generally is there a way to whitelist specific alerts so they > don't > >> > show up in the alerts file. > >> > > >> > >> > >> Have you tried creating a child rule that looks for > "/dev/.blkid.tab.old"? > >> > >> > I see that the guy here has the same problem but his solution does > not > >> > work: > >> > https://botbot.me/freenode/ossec/2016-03-01/?tz=America/Los_Angeles > >> > > >> > Cheers, > >> > Tahir > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
