[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: Ignore clients logs from the server

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: Ignore clients logs from the server
From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
Date: Sun, 16 Sep 2007 23:17:34 -0300
Authentication-results: mx.google.com; spf=pass (google.com: domain of daniel.cid@xxxxxxxxx designates 64.233.166.179 as permitted sender) smtp.mail=daniel.cid@xxxxxxxxx; dkim=pass (test mode) header.i=@xxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=ajDtgRR7fWkTibb/d42K6Skr6YwlRQlaFrtF9m0/ep4=; b=KHE1O+UCYzH3gZXyoCNQJiqbGmjK7YdJTZtA5bjcSjR5ZEMC13VJtGM9vOIS2PLh0WUQOPWaolURv6rrbj39oypNfHuVkoiEQBHafvzXU7YZ3wdQxDF6etYsV1c0bU48mHfxWtG1lEjWuynZxqrMDLreRuQN7zcM3s1q2mzTjtA=

Hi Chris,

The location where the alert came from can be searched using the
"hostname" tag.
For example:

<rule id="110007" level="0">
    <if_sid>1003, 31101, 1002</if_sid>
    <hostname>error_log</hostname>
    <description>Web log ignore.</description>
  </rule>

Basically, when you look at an alert it has:

"Received From: (xx) 192.168.2.0->/var/log/messages"

Everything after the "from: " is what the hostname matches...


**ok, before someone complains, I know hostname is not the best name for this
option, but this is what we have now. Patches are welcome :)


Hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net



On 9/14/07, Chris Russell <Chris_Russell@xxxxxxx> wrote:
>
>
>
>
> Forgive me if this has already been discussed, but I searched the archives
> and I couldn't find anything on this topic.
>
>
>
> I would like to ignore logs on my clients, but because I have a large number
> of clients, I would like to set the server to ignore the logs rather than
> edit the ossec.conf file on every client. Is this possible?
>
>
>
> As an example, I would like to ignore the /etc/httpd/logs/error_log file on
> my clients. So I tried putting this rule in to the local_rules.xml file on
> my server:
>
>
>
>   <rule id="110007" level="0">
>
>     <if_sid>1003, 31101, 1002</if_sid>
>
>     <match>/etc/httpd/logs/error_log</match>
>
>     <description>Web log ignore.</description>
>
>   </rule>
>
>
>
> But, it didn't work. I assume the name of the log can't be matched by the
> <match> directive? Is there any other directive that I could try?
>
>
>
> Thanks.

Follow-Ups:
- [ossec-list] Re: Ignore clients logs from the server
  - From: Chris Russell

References:
- [ossec-list] Ignore clients logs from the server
  - From: Chris Russell

Prev by Date: [ossec-list] Re: Granular Email Options
Next by Date: [ossec-list] Re: Regex Help
Previous by thread: [ossec-list] Re: Ignore clients logs from the server
Next by thread: [ossec-list] Re: Ignore clients logs from the server
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.