Dan, Thanks. If you can't find anything its no big deal. In our test environment we are SSHing as root, but in our production environment we are SSHing as a dedicated account that has limited access via sudo. It'll be trivial to configure OSSEC to disregard Nagios in that case. I went ahead and modified the PHP for the WUI so it only shows alerts at level 4 or higher, which has helped with the noise.
On Wed, Sep 29, 2010 at 2:26 PM, dan (ddp) <ddp...@gmail.com> wrote: > On Wed, Sep 29, 2010 at 2:13 PM, Chris Decker <deckmo...@gmail.com> wrote: > > Dan, > > > > Thanks. The "local_ip" setting appears to be what I need. I'll > investigate > > further to see if inodes are the culprit for the syscheck issue. > > > > Regarding item #3: One alert contains an IP address (the successful SSH > > session), but the other two alerts are from PAM and do NOT contain an IP > > address, making it difficult to create an exclusion rule with a level of > 0. > > I didn't now if there was a way to say "if rule x hit within the last few > > seconds, and this event has criteria x and y, then use a level of 0". > > Hopefully that makes sense. > > > > Again, appreciate all of your help. > > > > I'm not aware of a way to say something like: > If rule X fires with value a, and rule Y fires within b seconds, ignore > rule Y > > The PAM alerts should have some information associated with them, a > username or something. If that username is unique to the nagios > application (and it should be, unless you have to use root), that > could be the distinguishing factor for filtering on that alert. > > Posting sample logs (obduscate real IPs and usernames), might help in > filtering this out. > > I'll try looking to see if I have any sshd/PAM logs lying around that > might be the same/similar. >