Yes, it may seem counterintuitive that 'match' will not match against the entire line from the log file.
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Artur Pinheiro Sent: Monday, September 14, 2009 10:30 AM To: [email protected] Subject: [ossec-list] Re: problem ignoring 1002 rule notifications Importance: Low Hi, Nagios3 is the program part of the log. You should put something like: <rule id="100002" level="0"> <if_sid>1002</if_sid> <program_name>nagios3</program_name> <description>Ignora reports do nagios</description> </rule> -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Jean-Christophe Baptiste Sent: segunda-feira, 14 de Setembro de 2009 10:25 To: [email protected] Subject: [ossec-list] problem ignoring 1002 rule notifications Hi all, I am a new user of OSSEC and do appreciate a lot this IDS, the best of its kind AFAIK. However, there is something that is annoying me and that I have not been able to workaround. I have seen a similar problem reported, but it was left without answer (http://www.mail-archive.com/[email protected]/msg04720.html). Though I think there were some misconfiguration. In my case, the configuration is pretty straightforward and should work. I don't want to receive anymore such notifications : OSSEC HIDS Notification. 2009 Sep 14 11:06:54 Received From: (id3ser-net02) 10.3.30.42->/var/log/messages Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." Portion of the log(s): Sep 14 11:06:53 id3ser-net02 nagios3: SERVICE ALERT: gie-bruxel-ro1;Bandwith;UNKNOWN;SOFT;1;ERROR: Description table : No response from remote host 'gie-bruxel-ro1'. So I added this section in the local_rules.xml file : <rule id="100040" level="0"> <if_sid>1002</if_sid> <match>nagios3</match> <description>ignoring nagios events</description> </rule> It means I want to ignore any message from nagios. I use the <match> condition, because, at least if my understanding is correct, the log message is not decoded by OSSEC. I restarted the OSSEC server, and still I am receiving this notification from the agent. Am I missing something or is there a bug ? Thank you in advance for your help, Kind regards, Phocean This message contains TMA Resources confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.
