[ossec-list] Re: Ignore clients logs from the server

["Chris Russell" <Chris_Russell@xxxxxxx>]

The "hostname" tag seems to be working great. Thanks!

-----Original Message-----
From: ossec-list@xxxxxxxxxxxxxxxx [mailto:ossec-list@xxxxxxxxxxxxxxxx]
On Behalf Of Daniel Cid
Sent: Sunday, September 16, 2007 8:18 PM
To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: Ignore clients logs from the server


Hi Chris,

The location where the alert came from can be searched using the
"hostname" tag.
For example:

<rule id="110007" level="0">
    <if_sid>1003, 31101, 1002</if_sid>
    <hostname>error_log</hostname>
    <description>Web log ignore.</description>
  </rule>

Basically, when you look at an alert it has:

"Received From: (xx) 192.168.2.0->/var/log/messages"

Everything after the "from: " is what the hostname matches...


**ok, before someone complains, I know hostname is not the best name for
this
option, but this is what we have now. Patches are welcome :)


Hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net



On 9/14/07, Chris Russell <Chris_Russell@xxxxxxx> wrote:
>
>
>
>
> Forgive me if this has already been discussed, but I searched the
archives
> and I couldn't find anything on this topic.
>
>
>
> I would like to ignore logs on my clients, but because I have a large
number
> of clients, I would like to set the server to ignore the logs rather
than
> edit the ossec.conf file on every client. Is this possible?
>
>
>
> As an example, I would like to ignore the /etc/httpd/logs/error_log
file on
> my clients. So I tried putting this rule in to the local_rules.xml
file on
> my server:
>
>
>
>   <rule id="110007" level="0">
>
>     <if_sid>1003, 31101, 1002</if_sid>
>
>     <match>/etc/httpd/logs/error_log</match>
>
>     <description>Web log ignore.</description>
>
>   </rule>
>
>
>
> But, it didn't work. I assume the name of the log can't be matched by
the
> <match> directive? Is there any other directive that I could try?
>
>
>
> Thanks.