[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] rule chaining

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] rule chaining
From: Josh Drummond <jdrummon@xxxxxxx>
Date: Wed, 08 Aug 2007 16:37:04 -0700


I've setup custom decoders and rules for a custom log format I would 
like to monitor.  Everything seems to be working correctly except in 
the case where the custom log just happens to match one of the 
default rules as well (rule #2501, its matching on "login 
failed").  So it looks like it is firing off the rule and not 
continuing.  I tried writing another local rule that ignores that 
2501 rule if the <program_name> matches my custom decoded program, 
and this works as well.  However, although it now ignores rule #2501 
in that special case, it still doesn't fire off my custom local rule 
that matches it further down the chain.  It seems like the first rule 
it finds that matches (or ignores) the log, it stops right there, and 
I'm guessing since it starts with the low-numbered rules (the default 
ones) it will never get to my local rules.  Is there a way around this?

Thanks,
~Josh

Follow-Ups:
- [ossec-list] Re: rule chaining
  - From: Daniel Cid

Prev by Date: [ossec-list] Re: "Excessive number of events" - where is this?
Next by Date: [ossec-list] Re: Where can I find upgrade instructions?
Previous by thread: [ossec-list] Re: Where can I find upgrade instructions?
Next by thread: [ossec-list] Re: rule chaining
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.