What rule did you use?. Please, share here the rule and the alerts that you want to ignore.
I'd need the ID from the decoder to do so There are no xml decoders for rootcheck. What you want to extract in the id field is the file, right?. You can do a *match* in the rule for the file. Regards. On Friday, April 14, 2017 at 12:13:50 AM UTC+2, Rob Williams wrote: > > Hi Jesus, > > Thanks for the reply. I have noticed when I activate this rule, it blocks > all events and does not alert on the first event. Also note, I am trying to > use the ID field from my decoder to match against. I can't just use a > static match as the ID continuously changes so I'd need the ID from the > decoder to do so. Any ideas? Thanks! > > On Wednesday, April 5, 2017 at 12:26:31 PM UTC-7, Rob Williams wrote: >> >> Hi all, >> >> I'm running into an issue where rule 510 is triggering and I'm getting >> spammed with alerts but I can't seem to tune it correctly. What's weird is >> that I am still getting alerted for rule 510 for this log, but I can't >> figure out how to get that to show in logtest. Basically, I am getting >> spammed with rule 510 and trying to filter it down more and here is what >> happens when I enter the log in logtest: .... any ideas on how to fix >> this? >> >> **Phase 1: Completed pre-decoding. >> >> full event: 'File '/filepath/' is owned by root and has written >> permissions to anyone.' >> >> hostname: 'hostname' >> >> program_name: '(null)' >> >> log: 'File '/filepath/' is owned by root and has written >> permissions to anyone.' >> >> >> **Phase 2: Completed decoding. >> >> decoder: 'sample_decoder_setup' >> >> id: '/filepath/' >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
