I think you might want the <program_name> option instead of <match>.
On Mon, Sep 14, 2009 at 5:25 AM, Jean-Christophe Baptiste <[email protected]> wrote: > > > Hi all, > > I am a new user of OSSEC and do appreciate a lot this IDS, the best of its > kind AFAIK. > > However, there is something that is annoying me and that I have not been > able to workaround. > I have seen a similar problem reported, but it was left without answer > (http://www.mail-archive.com/[email protected]/msg04720.html). > Though I think there were some misconfiguration. > > In my case, the configuration is pretty straightforward and should work. > > I don't want to receive anymore such notifications : > > OSSEC HIDS Notification. > 2009 Sep 14 11:06:54 > > Received From: (id3ser-net02) 10.3.30.42->/var/log/messages > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > Portion of the log(s): > > Sep 14 11:06:53 id3ser-net02 nagios3: SERVICE ALERT: > gie-bruxel-ro1;Bandwith;UNKNOWN;SOFT;1;ERROR: Description table : No > response from remote host 'gie-bruxel-ro1'. > > So I added this section in the local_rules.xml file : > > <rule id="100040" level="0"> > <if_sid>1002</if_sid> > <match>nagios3</match> > <description>ignoring nagios events</description> > </rule> > > It means I want to ignore any message from nagios. I use the <match> > condition, because, at least if my understanding is correct, the log > message is not decoded by OSSEC. > > I restarted the OSSEC server, and still I am receiving this notification > from the agent. > > Am I missing something or is there a bug ? > > Thank you in advance for your help, > > Kind regards, > Phocean >
