Hey everyone,
In trying to do some tuning to ignore overly noisy logs messages I dont
care about I`m running into an issue and I`m hoping someone here can help
me with this.
I have this log being generated I want to ignore:
2020 Jul 16 09:24:58 WinEvtLog: System: ERROR(36871): Schannel: SYSTEM: NT
AUTHORITY: somerandomserver.public.mycorp.com: A fatal error occurred while
creating an SSL client credential. The internal error state is 10013
I created/added the following into local.rules:
<rule id="200010" level="0">
<if_sid>18103</if_sid>
<id>^36871$</id>
<user>SYSTEM</user>
<match>Schannel</match>
<description>ignore schannel errors</description>
</rule>
When I then run the log through ossec-logtest I get the following showing
it is matching at level 0
root@SEC02:/var/ossec/bin# ./ossec-logtest
2020/07/16 13:26:52 ossec-testrule: INFO: Reading local decoder file.
2020/07/16 13:26:52 ossec-testrule: INFO: Started (pid: 74716).
ossec-testrule: Type one log per line.
2020 Jul 16 09:24:58 WinEvtLog: System: ERROR(36871): Schannel: SYSTEM: NT
AUTHORITY: somerandomserver.public.mycorp.com: A fatal error occurred while
creating an SSL client credential. The internal error state is 10013.
**Phase 1: Completed pre-decoding.
full event: '2020 Jul 16 09:24:58 WinEvtLog: System: ERROR(36871):
Schannel: SYSTEM: NT AUTHORITY: somerandomserver.public.mycorp.com: A fatal
error occurred while creating an SSL client credential. The internal error
state is 10013.'
hostname: 'SEC02'
program_name: '(null)'
log: '2020 Jul 16 09:24:58 WinEvtLog: System: ERROR(36871):
Schannel: SYSTEM: NT AUTHORITY: somerandomserver.public.mycorp.com: A fatal
error occurred while creating an SSL client credential. The internal error
state is 10013.'
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'ERROR'
id: '36871'
extra_data: 'Schannel'
dstuser: 'SYSTEM'
system_name: 'somerandomserver.public.mycorp.com'
**Phase 3: Completed filtering (rules).
Rule id: '200010'
Level: '0'
Description: 'ignore schannel errors'
The log however is still being forwarded into my splunk server from OSSEC -
any idea's on what I`m doing wrong and how to prevent these logs from being
forwarded?
Also, I do have log_alert_level as 1 in ossec.conf:
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
Any suggestions would be great.
Thanks --
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/201b4416-b7e9-4985-b93f-645c536e1c46o%40googlegroups.com.
