Unfortunately the rule still doesn't work.
Also changed to:
<rule id="100000" level="0">
<options>no_email_alert</options>
<if_matched_group>syscheck</if_matched_group>
<!--<if_sid>1002</if_sid>-->
<program_name>systemd-logind</program_name>
<match>Failed to remove runtime directory /run/user/0: Device or
resource busy</match>
<description>ignore this message</description>
</rule>
and still getting the mails
четверг, 1 марта 2018 г., 11:11:20 UTC+1 пользователь Dmitriy Shvedchenko
написал:
>
> Hello there,
>
> could someone help me exclude this message from ossec:
>
> OSSEC HIDS Notification.
> 2018 Mar 01 11:02:10
>
> Received From: mail->/var/log/messages
> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
> Portion of the log(s):
>
> Mar 1 11:02:10 mail systemd-logind: Failed to remove runtime directory
> /run/user/0: Device or resource busy
>
>
>
> --END OF NOTIFICATION
>
>
>
> i've created local rule for exlucde, but this rule doesn't work:
>
> <rule id="400001" level="0">
> <options>no_email_alert</options>
> <!--<if_group>syscheck</if_group>-->
> <if_sid>1002</if_sid>
> <program_name>systemd-logind</program_name>
> <match>Failed to remove runtime directory /run/user/0: Device or
> resource busy</match>
> <description>ignore this message</description>
> </rule>
>
>
> Could pls someone tell me, that i am doing wrong? Thank you in advance!
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
