Eric, short answer is unfortunately "no" (see my similar question recently under the subject "Rule Exception - How?"). The only portion of a rule that you can negate/exclude are for srcip and dstip (see http://ossec-docs.readthedocs.io/en/latest/syntax/head_rules.html).
What I've found is that to exclude a subset of items you need to create a minimum of two rules. The first rule to catch only what you want to exclude, the second rule to capture all the rest. A simple example to simply ignore the ActiveSync log entries and do something with all the rest, using your log line examples and the rule you posted (not sure what rule #100210 is but assume it's to match the log lines for your rule): <!-- Rule to ignore ActiveSync logs --> <rule id="100211" level="0"> <if_sid>100210</if_sid> <match>Microsoft-Server-ActiveSync</match> <description>NOISE: Ignore ActiveSync log entries.</description> </rule> <!-- Rule to do something with all the other log lines --> <rule id="100212" level="5"> <if_sid>100210</if_sid> <regex>\.+\d+\s\w+.\[email protected]\.+ - 401 </regex> <description>Email authentication failure.</description> </rule> Hope that helps point you in the right direction. On Friday, February 9, 2018 at 10:38:47 AM UTC-5, Eric wrote: > > Hello, > > I'm working on a few custom rules and I was wondering if there is a "not > equal to" item within OSSEC custom rules that I can use. I have the > following logs and I want everything but the ActiveSync ones. > > Feb 9 00:00:00 XXXXX 2018-02-09 04:59:52 10.13.1.15 POST / > autodiscover/autodiscover.xml &CorrelationID=<empty>;; 443 - > [email protected] <javascript:> X.X.X.X > SfBForMac/16.13.184.0000+(Mac+OSX+10.12.6) > - 401 1 2148074254 0 > > Feb 9 00:00:00 XXXXX 2018-02-09 04:59:52 10.13.1.15 POST > /EWS/Exchange.asmx &CorrelationID=<empty>;; 443 - [email protected] > <javascript:> X.X.X.X SfBForMac/16.13.184.0000+(Mac+OSX+10.12.6) - 401 1 > 2148074254 0 > > Feb 9 00:00:01 XXXXX 2018-02-09 04:59:58 10.13.1.28 POST > /Microsoft-Server-ActiveSync/default.eas ; 443 [email protected] > <javascript:> X.X.X.X Android-Mail/7.10.22.174510681.release - 200 0 0 15 > > Right now I have the following logic and it works, but I'd prefer to just > do a not equal to Activesync so I don't have to add additional regexes if a > new log comes in. > > <rule id="100211" level="5"> > <if_sid>100210</if_sid> > <regex>autodiscovery.xml|Exchange.asmx</regex> > <regex>\.+\d+\s\w+.\[email protected] <javascript:>\.+ - 401 </regex> > <description>Email authentication failure.</description> > </rule> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
