I've been trying to create a rule in my local_rules.xml file for a few
hours now with no success, and I'm hoping someone can help. I'm sure I'm
doing something really dumb and am just too tired to see it right now.
I would like to create a rule that will basically override Rule 504 (ossec
agent disconnected) for a few specific clients. I've added this rule to my
local_rules.xml file:
<group name="local_ignore_disconnects,ossec,">
<rule id="100400" level="0">
<if_sid>504</if_sid>
<hostname>host1.company.net</hostname>
<description>Ignore ossec disconnects from host1.</description>
</rule>
<rule id="100401" level="0">
<if_sid>504</if_sid>
<hostname>host2.company.net</hostname>
<description>Ignore ossec disconnects from host2.</description>
</rule>
</group> <!-- OSSEC,LOCAL-IGNORE-DISCONNECTS -->
Unfortunately, I am still getting email alerts whenever the ossec clients
on host1 or host2 disconnect. To complicate matters, I can't figure out how
to use ossec-logtest to try and test out these rules because the triggering
condition is not part of any log (as far as I'm aware), so I don't know
what type of example I could feed into the system.
The only thing I can think of is that the ossec rules invoke a pre-decoder
that does not provide a hostname for the client, or perhaps provides an
inconsistent hostname. For example, the hostname that's decoded from syslog
is (I think) the FQDN of the client. But perhaps the ossec decoder only
knows the client by its agent name (which may not match the FQDN)?
All of the documentation and examples I can find assume that I'm trying to
override or augment rules for things like syslog, sshd, or apache; I
haven't found anything that discusses how to augment an ossec core rule
(ID's between 0 and 999) *unless *I want to completely silence the rule;
but in this case, I'd just like to silence the rule for one or two clients.
Any help would be greatly appreciated. Thanks!
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
