On Wed, Feb 8, 2012 at 10:59 AM, Sam Culley <[email protected]> wrote: > Sorry here is an example portion of logs, there are 7 type of logs as I have > 7 services monitored on Nagios. > > Feb 8 15:56:04 GL-KLINK nagios: SERVICE ALERT: host-xx;Thunderbird > Version;CRITICAL;HARD;1;Connection refused or timed out >
Filtering these out should be easy. Untested but has a good chance of working: <rule id="WHATEVER" level="0"> <if_sid>1002</if_sid> <program_name>nagios</program_name> <match>Connection refused or timed out$</match> <description>I Don't want to see refused connections</description> </rule> > Sam Culley > Sent from my iPhone 4 > > On 8 Feb 2012, at 15:40, "dan (ddp)" <[email protected]> wrote: > > It'll be tough to help if you XXX all the logs. > Create a rule to ignore messages you don't want to see. In this case > <if_sid>1002<if_sid> and <match>XXX</match> > > On Feb 8, 2012 10:37 AM, "culley" <[email protected]> wrote: >> >> So I have Nagios as well OSSEC on the same system and because OSSEC is >> set to check /var/log/messages I inadvertently receive email if Nagios >> cant connect/check the remote hosts for whatever reason. >> >> Like so >> >> Receive From : XXXXXX-> /var/log/messages >> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the >> system." >> >> Portion of log(s): >> >> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX >> >> How would i go about changing the level for /var/log/message so its >> only send mail when a higher alert is logged, or is there a different >> solution entirely to prevent OSSEC alerting about Nagios.
