[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] Fine tune syslog_rules.xml Rule 1002
- To: ossec-list@xxxxxxxxxxxxxxxx
- Subject: [ossec-list] Fine tune syslog_rules.xml Rule 1002
- From: Steve West <stevewest15@xxxxxxxxx>
- Date: Wed, 13 Jun 2007 20:14:44 -0400
- Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:reply-to:user-agent:mime-version:to:subject:content-type:content-transfer-encoding; b=Hn9a7ICGoqgZM1Y6zj41+PztqYE7sXyYvsGV08J9OIMI7dtUGVilxEZ5G6bGVHf7b+Ib3MmqJ22sBSjv32VB/47LgTmiATZSMLn1BlVXh1lbKB4uTlEdRF5sRrA8sUVWiVFUHLRQC7kCm9NAf/EP57X3tO54PUJnEpuq9zP3BBY=
ossec version 1.2
Hi,
I'm trying to figure out if I can exclude the following messages without
disabling the entire rule 1002 in ossec/rules/syslog_rules.xml:
Received From: (Mail_Server77) xxx.xxx.xxx.xxx->/var/log/messages
Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system."
Portion of the log(s):
Jun 13 20:00:46 mail freshclam[30139]: connect_error: getsockopt(SO_ERROR): fd=5 error=110: Connection timed out
Jun 13 19:02:17 web85 freshclam[1768]: Ignoring mirror xxx.xxx.xxx.xxx (due to previous errors)
Jun 13 18:19:25 mail spf: {neutral|pass|fail} (xxx.xxx.xxx.xxx is neither permitted nor denied by SPF record at somedomain.com)
I'm wondering if there is a way I can setup an exclude clause and how I can go about writing such a rule to prevent ossec from sending me an email whenever any of the above lines are printed to /var/log/messages?
thx,
SW
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.