On Fri, Dec 1, 2017 at 1:41 PM, Leroy Tennison <[email protected]> wrote: > The context is /var/log/syslog monitoring, I have one system which is > generating numerous messages which I don't want to receive alerts for. I > would prefer to avoid a rules-based approach because I'm just beginning to > understand OSSEC and others with less knowledge than i need to be able to > administer it as well. I want to exclude certain messages from syslog > evaluation and noticed the ability to use a command (such as 'grep -v ... > ???) under localfile. > > Is this a reasonable solution to my requirement? > (If this is a reasonable solution) > Do I also need to use the full_command and frequency options or will > just specifying syslog as the log_format suffice? > I assume that I will need to configure /var/log/syslog monitoring on > each system since configuring it it agent.conf and having a different > configuration on the specific system would produce conflicting > configuration, correct? >
You can't mix commands and syslog file types. There really isn't a way to filter out log messages at the agent level (on non-windows hosts). > Thanks for your help. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
