Hi all,
I am a new user of OSSEC and do appreciate a lot this IDS, the best of its kind AFAIK. However, there is something that is annoying me and that I have not been able to workaround. I have seen a similar problem reported, but it was left without answer (http://www.mail-archive.com/[email protected]/msg04720.html). Though I think there were some misconfiguration. In my case, the configuration is pretty straightforward and should work. I don't want to receive anymore such notifications : OSSEC HIDS Notification. 2009 Sep 14 11:06:54 Received From: (id3ser-net02) 10.3.30.42->/var/log/messages Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." Portion of the log(s): Sep 14 11:06:53 id3ser-net02 nagios3: SERVICE ALERT: gie-bruxel-ro1;Bandwith;UNKNOWN;SOFT;1;ERROR: Description table : No response from remote host 'gie-bruxel-ro1'. So I added this section in the local_rules.xml file : <rule id="100040" level="0"> <if_sid>1002</if_sid> <match>nagios3</match> <description>ignoring nagios events</description> </rule> It means I want to ignore any message from nagios. I use the <match> condition, because, at least if my understanding is correct, the log message is not decoded by OSSEC. I restarted the OSSEC server, and still I am receiving this notification from the agent. Am I missing something or is there a bug ? Thank you in advance for your help, Kind regards, Phocean
