|
Forgive me if this has already been discussed, but I
searched the archives and I couldn’t find anything on this topic. I would like to ignore logs on my clients, but because I have
a large number of clients, I would like to set the server to ignore the logs rather
than edit the ossec.conf file on every client. Is this possible? As an example, I would like to ignore the
/etc/httpd/logs/error_log file on my clients. So I tried putting this rule in
to the local_rules.xml file on my server: <rule id="110007"
level="0"> <if_sid>1003, 31101,
1002</if_sid>
<match>/etc/httpd/logs/error_log</match> <description>Web log ignore.</description> </rule> But, it didn’t work. I assume the name of the log can’t
be matched by the <match> directive? Is there any other directive that I
could try? Thanks. |