I am trying to figure out how to disable this email alert and I haven't had
much luck yet.
---Email Alert---
OSSEC HIDS Notification.
2011 Sep 29 11:10:10
Received From: ossec->/var/log/messages
Rule: 1003 fired (level 13) -> "Non standard syslog message (size too
large)."
Portion of the log(s):
Sep 29 11:10:10 ossec syslog-ng[3992]: Log statistics;
processed='destination(d_mail)=4', processed='destination(d_spol)=0',
processed='source(s_file_fs3)=6774',
processed='global(payload_reallocs)=528', processed='source(s_sys)=788',
processed='destination(d_mesg)=272', processed='global(msg_clones)=0',
processed='src.internal(s_sys#2)=272',
stamp='src.internal(s_sys#2)=1317312010', processed='destination(d_kern)=0',
processed='destination(d_mlal)=0', processed='destination(d_cron)=483',
dropped='dst.udp(d_messages#0,10.13.33.11:514)=0',
processed='dst.udp(d_messages#0,10.1.3.11:514)=73317',
stored='dst.udp(d_messages#0,10.1.3.11:514)=0',
processed='global(sdata_updates)=0', processed='destination(d_auth)=29',
processed='destination(d_boot)=0', processed='source(s_file_hr1)=10470',
processed='center(received)=0', processed='source(s_file_fs1)=13899',
processed='destination(d_messages)=73317',
processed='source(s_file_hr2)=10305', processed='center(queued)=0',
processed='source(s_file_fs2)=8202', processed='source(s_file_hr3)=23667'
--END OF NOTIFICATION
I put this in the local-rules.xml but it doesn't seem to be working
<rule id="100304" level="0">
<match>Non standard syslog message</match>
<if_sid>1003</if_sid>
</rule>
Any help would be great.
Thanks
