Dmitriy, custom rules can only be numbered between 100,000 and 119,999. Change the rule number you used (400,001) to between the allowed range.
You can then use the *ossec-**logtest* binary to test your config before deploying it. Other than the rule number your syntax appears to be fine. - Bruce On Thursday, March 1, 2018 at 5:11:20 AM UTC-5, Dmitriy Shvedchenko wrote: > > Hello there, > > could someone help me exclude this message from ossec: > > OSSEC HIDS Notification. > 2018 Mar 01 11:02:10 > > Received From: mail->/var/log/messages > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > Portion of the log(s): > > Mar 1 11:02:10 mail systemd-logind: Failed to remove runtime directory > /run/user/0: Device or resource busy > > > > --END OF NOTIFICATION > > > > i've created local rule for exlucde, but this rule doesn't work: > > <rule id="400001" level="0"> > <options>no_email_alert</options> > <!--<if_group>syscheck</if_group>--> > <if_sid>1002</if_sid> > <program_name>systemd-logind</program_name> > <match>Failed to remove runtime directory /run/user/0: Device or > resource busy</match> > <description>ignore this message</description> > </rule> > > > Could pls someone tell me, that i am doing wrong? Thank you in advance! > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
