On Fri, Jan 27, 2017 at 11:00 AM, Daniel B. <[email protected]> wrote:
>
> Yes, via ./ossec-control -r
>
root@ossec-test:/var/ossec/etc# /var/ossec/bin/ossec-control -r
Usage: /var/ossec/bin/ossec-control {start|stop|restart|status|enable|disable}
Try `/var/ossec/bin/ossec-control restart`
>
> On Thursday, January 26, 2017 at 4:41:20 PM UTC-5, Daniel B. wrote:
>>
>>
>>
>> full_log:
>>
>> Files hidden inside directory
>> '/var/lib/docker/aufs/mnt/545d04c068f0f7ce19361a94d1c43b0c6686a0dfdd45e1803ccee569acc1767b/usr/share/locale'.
>> Link count does not match number of files (54,70).
>>
>> I have a rule setup to ignore this, and it's actually being hit when I test
>> the above line via ./ossec-logtest -v (see image)
>>
>> When I check the alerts, I see this as a level 7 alert.
>>
At some point was 700006 level 7? Or are you seeing a different level 7 alert?
>> The rules are defined on the server. Any idea on why an alert would be
>> generated despite the level 0 rule being hit?
>>
>> Decoder:
>>>>
>>>> <decoder name="ignore_docker_mismatch">
>>>>
>>>> <prematch>Files hidden inside directory </prematch>
>>>>
>>>> <regex>(\p/var/lib/docker\.+)</regex>
>>>>
>>>> <order>extra_data</order>
>>>>
>>>> </decoder>
>>
>>
>> Rule:
>>>
>>> <rule id="700006" level="0">
>>>
>>> <decoded_as>ignore_docker_mismatch</decoded_as>
>>>
>>> <description>Level 0 Alert -- Ignoring Docker Files
>>> Mismatch</description>
>>>
>>> </rule>
>>>
>>>
>>
>>
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
