[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] How to modify the rules with a local_rules.xml?

To: OSSEC Users List <ossec-list@xxxxxxxxxxxxxxxx>
Subject: [ossec-list] How to modify the rules with a local_rules.xml?
From: "Kayvan A. Sylvan" <kayvan@xxxxxxxxxx>
Date: Wed, 14 Feb 2007 17:49:39 -0800
Content-disposition: inline

I thought I had an answer for this before, but I can't find it.

I have an alert that fires off all the time:

    OSSEC HIDS Notification.
    2007 Feb 14 16:15:03

    Received From: server->/var/log/messages
    Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system."
    Portion of the log(s):

    Feb 14 16:15:02 server smbd[28410]:   getpeername failed. Error was
    Transport endpoint is not connected

I want to set up a local_rules.xml to ignore this (and other) events.

How do I go about doing this?

			---Kayvan
-- 
Kayvan A. Sylvan          | Proud husband of       | Father to my kids:
Sylvan Associates, Inc.   | Laura Isabella Sylvan, | Katherine Yelena (8/8/89)
http://sylvan.com/~kayvan | my beautiful Queen.    | Robin Gregory (2/28/92)

Follow-Ups:
- [ossec-list] Re: How to modify the rules with a local_rules.xml?
  - From: Daniel Cid

Prev by Date: [ossec-list] Windows clients disconnecting
Next by Date: [ossec-list] Re: How to modify the rules with a local_rules.xml?
Previous by thread: [ossec-list] Re: Windows clients disconnecting
Next by thread: [ossec-list] Re: How to modify the rules with a local_rules.xml?
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.