I know this has been covered over and over again but I can't seem to make it work.
Here is my setup:
Windows box generating these:
2007-04-20 04:52:27 192.168.1.100 GET /folder1/path2/pageerror.aspx - 70.44.101.88 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+SLCC1;+.NET+CLR+2.0.50727;+Media+Center+PC+5.0;+.NET+CLR+3.0.04506) – www.mydomainname.com 200 0 0 1729 443 93
OSSEC generating these:
OSSEC HIDS Notification.
2007 Apr 20 00:49:55
Received From: (webserver1) 192.168.1.100->\IIS Log Files\W3SVC\ex070420.log
Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system."
Portion of the log(s):
<see above>
--END OF NOTIFICATION
So I added this to my ossec.conf on the windows box
<ossec_config>
<!-- rules global entry -->
<rules>
<include>local_rules.xml</include>
</rules>
</ossec_config>
And this to the local_rules.xml file on the windows box
<group name="local">
<rule id="123456" level="0">
<if_sid>1002</if_sid>
<match> pageerror.aspx </match>
<description>Events ignored</description>
</rule>
</group>
…and restarted both the server and the client.
But yet I still receive the notifications. I've read about the rule id needing to be in the 10xxxx range so I changed that but it didn't help.
Thanks a ton!
Chad