[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: Fine tune syslog_rules.xml Rule 1002

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: Fine tune syslog_rules.xml Rule 1002
From: Steve West <stevewest15@xxxxxxxxx>
Date: Fri, 15 Jun 2007 09:21:42 -0400
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:reply-to:user-agent:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; b=FaJ/iSg3YBd8mpGOdVeqQiMfiOFKuCNsXvsLOdtxhAmbnc+SzZK2ETlW855QyDctmF5bVbScWfH4Bzs8x5r3On61XjCM7UbgKLprflY0dVchjBesFQXge/e+RQTk5rwCWj7EwOIj5h5pfWHjBgudTCVORbFmHbMMxh6zWoFdqh8=

Hi,

I thought I reply back to my own question just incase anyone else might 
be in a position like me and needs to find an answer in the future... ;-)

I used this wiki to ignore certain rules from firing:

http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules

thx,

SW

Steve West wrote:
> ossec version 1.2
> 
> Hi,
> 
> I'm trying to figure out if I can exclude the following messages without 
> disabling the entire rule 1002 in ossec/rules/syslog_rules.xml:
> 
> Received From: (Mail_Server77) xxx.xxx.xxx.xxx->/var/log/messages
> Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system."
> Portion of the log(s):
> 
> Jun 13 20:00:46 mail freshclam[30139]: connect_error: 
> getsockopt(SO_ERROR): fd=5 error=110: Connection timed out
> 
> Jun 13 19:02:17 web85 freshclam[1768]: Ignoring mirror xxx.xxx.xxx.xxx 
> (due to previous errors)
> 
> Jun 13 18:19:25 mail spf: {neutral|pass|fail} (xxx.xxx.xxx.xxx is 
> neither permitted nor denied by SPF record at somedomain.com)
> 
> I'm wondering if there is a way I can setup an exclude clause and how I 
> can go about writing such a rule to prevent ossec from sending me an 
> email whenever any of the above lines are printed to /var/log/messages?
> 
> thx,
> 
> SW
> 
> 
> 
> 
>

References:
- [ossec-list] Fine tune syslog_rules.xml Rule 1002
  - From: Steve West

Prev by Date: [ossec-list] Is ossec reading my IIS logs?
Next by Date: [ossec-list] Re: Is ossec reading my IIS logs?
Previous by thread: [ossec-list] Re: Fine tune syslog_rules.xml Rule 1002
Next by thread: [ossec-list] Multiple Cisco Firewalls with Active-Response
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.