[ossec-list] GUI Question

[W0lfm4n <nealgay@xxxxxxxxx>]

Hopefully there is an easy answer to my problem.  I am using OSSEC to
monitor Cisco logs coming in via syslog.
First problem:
The decoder is not working and I believe it because the following
command was not executed on the routers.
    * To avoid having an invalid syslog header with extra timestamps
and sequence numbers, disable it:
no service sequence-numbers
no service timestamps debug uptime
no service timestamps log uptime

By policy I cannot execute these commands on the routers.  I believe
that this may be fubar'ing the decoder.  Does this make sense?

The second problem is related to the first.  Because I have all of
these invalid syslog headers, I was getting hit hard with alerts from
default rule #1002.  Instead of changing the default rule so that it
wouldn't match, I added the following to local rules to just ignore
the rule causing the problem.

  <rule id="100101" level="0">
        <if_sid>1002</if_sid>
        <options>no_log</options>
        <description>Ignore Noisy Rules</description>
  </rule>

Well the emails stopped and the alerts stopped but the GUI now shows a
large number of level 0 alerts (that should be ignored) and a large
number of rule 100101 events.

Total for level 7  	1  	0.0%
Total for level 3 	2 	0.0%
Total for level 0 	11,837 	100.0%
Total for all levels 	11,840 	100%

Aggregate values by rule Option 	Value 	Percentage
Total for Rule 550 	1 	0.0%
Total for Rule 502 	2 	0.0%
Total for Rule 100101 	11,837 	100.0%
Total for all rules 	11,840 	100%

Is there a way to set a rule to completely ignore a default rule other
than changing the default rules that come with OSSEC?

Any help would be greatly appreciated.