I don't see how your log is related to rule 1002 ( <if_sid>1002</if_sid>). I suggest you remove this line as well. You can test your new rule with ossec-logtest -f, it will give you insight on your rules hierarchy.
-Stephane On Feb 25, 2013 2:56 PM, "Kevin Kelly" <[email protected]> wrote: > > I believe the problem is: <srcip>192.168.x.y</srcip> > > There is no IP address in the log entry, so the source IP will never match. Maybe you could use <hostname></hostname> instead? > > -- > Kevin Kelly > Director, Network Technology > Whitman College > > ________________________________ > From: "Fredrik" <[email protected]> > To: [email protected] > Sent: Monday, February 25, 2013 1:49:14 AM > Subject: [ossec-list] Rule creation to supress email alert > > > Hello! > > I have read some of the similar posts, but can't seem to get it to work. I'm trying to stop the following (syslog) message from generating an alert - while the underlying cause is being dealt with: > > Feb 25 09:40:31.464 apf_foreignap.c:1281 APF-4-REGISTER_IPADD_ON_MSCB_FAILED: Could not Register IP Add on MSCB. MSCB still in init state. Address:00:40:96:a7:50:c6 > > I have added a rule to local_rules.xml: > > <!-- This was put in place to silence alerts generated by the Cisco WAC > --> > <rule id="100002" level="2"> > <if_sid>1002</if_sid> > <srcip>192.168.x.y</srcip> > <match>%APF-4-REGISTER_IPADD_ON_MSCB_FAILED: </match> > <options>no_email_alert</options> > </rule> > > I have tried different match-strings, with/without ip-address but I can't seem to get a hit on my custom filter when using the ossec-logtest binary and the message keeps generating email alerts, > > What have I got wrong?! > > Fredrik > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
