On Wed, Jun 1, 2016 at 8:36 AM, Tahir Hafiz <[email protected]> wrote: > Thanks will give it a try in the local_rules.xml > > Am I right in thinking that Level 0 still keeps a log in > /var/ossec/logs/ossec.log, it's just the alerts file that the log is kept > out of? >
No, level 0 does not create a log entry. And alerts are stored in /var/ossec/logs/alerts/alerts.log, not ossec.log. > > > On Wednesday, 1 June 2016 12:59:42 UTC+1, dan (ddpbsd) wrote: >> >> On Wed, Jun 1, 2016 at 5:17 AM, Tahir Hafiz <[email protected]> wrote: >> > Creating a child rule like that looks for "/dev/.blkid.tab.old" and >> > ignores >> > it, okay, I am trying to find examples of such things. >> > Do you have a link or any examples of such a thing? >> > >> >> The rules files are full of examples. >> >> > I don't need to create such a rule in local_rules.xml do I? >> > >> > I think I should create such a rule in ossec_rules.xml where the 510 >> > rule >> > exist. >> > Is that correct? >> > >> >> Using local_rules.xml is the best option. The other rule files will >> get overwritten during an upgrade, and your changes would be lost. >> >> Something like (and I haven't tested this or anything): >> <rule id="800001" level="0"> >> <if_sid>510</if_sid> >> <match>/dev/.blkid.tab.old</match> >> <description>Ignore /dev/.blkid.tab.old</description> >> </rule> >> >> > >> > <rule id="510" level="7"> >> > <if_sid>509</if_sid> >> > <description>Host-based anomaly detection event >> > (rootcheck).</description> >> > <group>rootcheck,</group> >> > <if_fts /> >> > </rule> >> > >> > Above is the stanza, I will try to add to it by reading this pdf about >> > rules: >> > http://www.ossec.net/ossec-docs/OSSEC-book-ch4.pdf >> > >> > >> > >> > >> > On Tuesday, 31 May 2016 17:42:10 UTC+1, dan (ddpbsd) wrote: >> >> >> >> On Tue, May 31, 2016 at 12:00 PM, Tahir Hafiz <[email protected]> >> >> wrote: >> >> > How do I get OSSEC to ignore a specific textual alert and not show it >> >> > in >> >> > the >> >> > alerts file? >> >> > I know I can create a local_rules.xml file and get it to ignore a >> >> > specific >> >> > rule but I need something more specific than that. >> >> > >> >> > This is the alert that I see in the alerts file >> >> > (/var/ossec/logs/alerts/alerts.log): >> >> > >> >> > ** Alert 1464690578.111537: mail - ossec,rootcheck, >> >> > 2016 May 31 11:29:38 (XYZabc02) any->rootcheck >> >> > Rule: 510 (level 7) -> 'Host-based anomaly detection event >> >> > (rootcheck).' >> >> > File '/dev/.blkid.tab.old' present on /dev. Possible hidden file. >> >> > >> >> > >> >> > So I would like OSSEC to not show the above alert in the alerts file. >> >> > Is there a way to do that? >> >> > >> >> > More generally is there a way to whitelist specific alerts so they >> >> > don't >> >> > show up in the alerts file. >> >> > >> >> >> >> >> >> Have you tried creating a child rule that looks for >> >> "/dev/.blkid.tab.old"? >> >> >> >> > I see that the guy here has the same problem but his solution does >> >> > not >> >> > work: >> >> > https://botbot.me/freenode/ossec/2016-03-01/?tz=America/Los_Angeles >> >> > >> >> > Cheers, >> >> > Tahir >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
