I've been struggling with cleaning up the notifications from ossec, I've had
some success but for whatever reason I can't seem to get a grip on it
completely.
I've got several rules in local_rules.xml that filter out unimportant stuff
(windows really likes to twiddle registry keys, in particular service Enum).
Most seem to work, however some do not even though I use the same syntax.
Here's an example, I get smart HDD test syslog events from my NAS box:
Received From: fatty->/var/log/messages
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
May 18 00:02:06 fatty qlogd[3762]: event log: Users: System, Source IP:
127.0.0.1, Computer name: localhost, Content: [HDD SMART] HDD 1 Quick Test
result: Completed without error.
So I added
<rule id="100009" level="0">
<if_sid>1002</if_sid>
<match>'Completed without error'</match>
<match>'zmc'</match>
<description>Ignoring HDD Smart test okay and zoneminder</description>
</rule>
It's in a group and parses fine of course.
I still get the errors. I've read in some article/howto that it's best to
avoid using regular expressions too much, perhaps there's something wrong with
my <match>?
--
A banker is a fellow who lends you his umbrella when the sun is shining
and wants it back the minute it begins to rain.
-- Mark Twain
