What happens if you stop modifying syslog_rules.xml and add your rules to local_rules.xml?
On Mon, Apr 16, 2012 at 11:59 AM, sklauminzer <sklaumin...@gmail.com> wrote: > I have modified my syslog_rules.xml to exclude alerts for standard OSX > Server error messages and while they work in ossec-logtest they do not > alter the alerting policy on the server. > > Rule from syslog_rules: > > <rule id="100201" level="0"> > <if_sid>1002</if_sid> > <program_name>servermgrd</program_name> > <options>no_email_alert</options> > <description>Server Manager errors ignore</description> > </rule> > > Event log: > Apr 10 10:33:35 seahkgxsv01 servermgrd[56468]: - > [AccountsRequestHandler(AccountsOpenDirectoryHelpers) > openLocalLDAPNodeIfNeeded]: dsLocalLDAP = (null), error = Error > Domain=com.apple.OpenDirectory Code=2000 UserInfo=0x1004284a0 "Unable > to open Directory node with name /LDAPv3/127.0.0.1." > > ossec-logtest results: > > > $sudo /var/ossec/bin/ossec-logtest > 2012/04/16 08:51:02 ossec-testrule: INFO: Reading local decoder file. > 2012/04/16 08:51:02 ossec-testrule: INFO: Started (pid: 99621). > ossec-testrule: Type one log per line. > > Apr 16 08:22:19 seahkgxsv01 servermgrd[95916]: - > [AccountsRequestHandler(AccountsOpenDirectoryHelpers) > openLocalLDAPNodeIfNeeded]: dsLocalLDAP = (null), error = Error > Domain=com.apple.OpenDirectory Code=2000 UserInfo=0x10044a1e0 "Unable > to open Directory node with name /LDAPv3/127.0.0.1." > > > **Phase 1: Completed pre-decoding. > full event: 'Apr 16 08:22:19 seahkgxsv01 servermgrd[95916]: - > [AccountsRequestHandler(AccountsOpenDirectoryHelpers) > openLocalLDAPNodeIfNeeded]: dsLocalLDAP = (null), error = Error > Domain=com.apple.OpenDirectory Code=2000 UserInfo=0x10044a1e0 "Unable > to open Directory node with name /LDAPv3/127.0.0.1."' > hostname: 'seahkgxsv01' > program_name: 'servermgrd' > log: '-[AccountsRequestHandler(AccountsOpenDirectoryHelpers) > openLocalLDAPNodeIfNeeded]: dsLocalLDAP = (null), error = Error > Domain=com.apple.OpenDirectory Code=2000 UserInfo=0x10044a1e0 "Unable > to open Directory node with name /LDAPv3/127.0.0.1."' > > **Phase 2: Completed decoding. > No decoder matched. > > **Phase 3: Completed filtering (rules). > Rule id: '100201' > Level: '0' > Description: 'Server Manager errors ignore' > > > > **However** > > This alert is still sent via email: > > OSSEC HIDS Notification. > 2012 Apr 16 08:22:19 > > Received From: seahkgxsv01->/var/log/system.log > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the > system." > Portion of the log(s): > > Apr 16 08:22:19 seahkgxsv01 servermgrd[95916]: - > [AccountsRequestHandler(AccountsOpenDirectoryHelpers) > openLocalLDAPNodeIfNeeded]: dsLocalLDAP = (null), error = Error > Domain=com.apple.OpenDirectory Code=2000 UserInfo=0x10044a1e0 "Unable > to open Directory node with name /LDAPv3/127.0.0.1." > > > > --END OF NOTIFICATION > > > What I have tried: > > Restart ossec, stop ossec, start ossec. check rule permissions. > > This is happening with all syslog_rules.xml modifications, but > msauth_rules.xml mods *are* working. > > My config currently only has a single system on syslog, the local OSX > Server running ossec server (and agent)