Re: [ossec-list] ossec-logtest and actual alerts not working the same

Wed, 18 Apr 2012 04:52:29 -0700 

What happens if you stop modifying syslog_rules.xml and add your rules
to local_rules.xml?

On Mon, Apr 16, 2012 at 11:59 AM, sklauminzer <sklaumin...@gmail.com> wrote:
> I have modified my syslog_rules.xml to exclude alerts for standard OSX
> Server error messages and while they work in ossec-logtest they do not
> alter the alerting policy on the server.
>
> Rule from syslog_rules:
>
>   <rule id="100201" level="0">
>     <if_sid>1002</if_sid>
>     <program_name>servermgrd</program_name>
>     <options>no_email_alert</options>
>     <description>Server Manager errors ignore</description>
>   </rule>
>
> Event log:
> Apr 10 10:33:35 seahkgxsv01 servermgrd[56468]: -
> [AccountsRequestHandler(AccountsOpenDirectoryHelpers)
> openLocalLDAPNodeIfNeeded]: dsLocalLDAP = (null), error = Error
> Domain=com.apple.OpenDirectory Code=2000 UserInfo=0x1004284a0 "Unable
> to open Directory node with name /LDAPv3/127.0.0.1."
>
> ossec-logtest results:
>
>
> $sudo /var/ossec/bin/ossec-logtest
> 2012/04/16 08:51:02 ossec-testrule: INFO: Reading local decoder file.
> 2012/04/16 08:51:02 ossec-testrule: INFO: Started (pid: 99621).
> ossec-testrule: Type one log per line.
>
> Apr 16 08:22:19 seahkgxsv01 servermgrd[95916]: -
> [AccountsRequestHandler(AccountsOpenDirectoryHelpers)
> openLocalLDAPNodeIfNeeded]: dsLocalLDAP = (null), error = Error
> Domain=com.apple.OpenDirectory Code=2000 UserInfo=0x10044a1e0 "Unable
> to open Directory node with name /LDAPv3/127.0.0.1."
>
>
> **Phase 1: Completed pre-decoding.
>       full event: 'Apr 16 08:22:19 seahkgxsv01 servermgrd[95916]: -
> [AccountsRequestHandler(AccountsOpenDirectoryHelpers)
> openLocalLDAPNodeIfNeeded]: dsLocalLDAP = (null), error = Error
> Domain=com.apple.OpenDirectory Code=2000 UserInfo=0x10044a1e0 "Unable
> to open Directory node with name /LDAPv3/127.0.0.1."'
>       hostname: 'seahkgxsv01'
>       program_name: 'servermgrd'
>       log: '-[AccountsRequestHandler(AccountsOpenDirectoryHelpers)
> openLocalLDAPNodeIfNeeded]: dsLocalLDAP = (null), error = Error
> Domain=com.apple.OpenDirectory Code=2000 UserInfo=0x10044a1e0 "Unable
> to open Directory node with name /LDAPv3/127.0.0.1."'
>
> **Phase 2: Completed decoding.
>       No decoder matched.
>
> **Phase 3: Completed filtering (rules).
>       Rule id: '100201'
>       Level: '0'
>       Description: 'Server Manager errors ignore'
>
>
>
> **However**
>
> This alert is still sent via email:
>
> OSSEC HIDS Notification.
> 2012 Apr 16 08:22:19
>
> Received From: seahkgxsv01->/var/log/system.log
> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the
> system."
> Portion of the log(s):
>
> Apr 16 08:22:19 seahkgxsv01 servermgrd[95916]: -
> [AccountsRequestHandler(AccountsOpenDirectoryHelpers)
> openLocalLDAPNodeIfNeeded]: dsLocalLDAP = (null), error = Error
> Domain=com.apple.OpenDirectory Code=2000 UserInfo=0x10044a1e0 "Unable
> to open Directory node with name /LDAPv3/127.0.0.1."
>
>
>
> --END OF NOTIFICATION
>
>
> What I have tried:
>
> Restart ossec, stop ossec, start ossec. check rule permissions.
>
> This is happening with all syslog_rules.xml modifications, but
> msauth_rules.xml mods *are* working.
>
> My config currently only has a single system on syslog, the local OSX
> Server running ossec server (and agent)

Reply via email to