On Tue, Feb 26, 2013 at 3:46 AM, Fredrik <fredrik.ke...@gmail.com> wrote: > Hi Stephane, > > > Thanks for your post! Sorry, my bad - the example I sent was generic and not > an exact message from the logs :( Please find a "real" sample below. > > Feb 26 09:54:19 192.168.x.y Cisco-WAC: *Feb 26 08:38:36.316: > %APF-4-REGISTER_IPADD_ON_MSCB_FAILED: apf_foreignap.c:1281 Could not > Register IP Add on MSCB. MSCB still in init state. Address:98:03:d8:ae:b2:34 >
# /var/ossec/bin/ossec-logtest 2013/02/26 15:23:05 ossec-testrule: INFO: Reading local decoder file. 2013/02/26 15:23:06 ossec-testrule: INFO: Started (pid: 32596). ossec-testrule: Type one log per line. Feb 26 09:54:19 192.168.x.y Cisco-WAC: *Feb 26 08:38:36.316: %APF-4-REGISTER_IPADD_ON_MSCB_FAILED: apf_foreignap.c:1281 Could not Register IP Add on MSCB. MSCB still in init state. Address:98:03:d8:ae:b2:34 **Phase 1: Completed pre-decoding. full event: 'Feb 26 09:54:19 192.168.x.y Cisco-WAC: *Feb 26 08:38:36.316: %APF-4-REGISTER_IPADD_ON_MSCB_FAILED: apf_foreignap.c:1281 Could not Register IP Add on MSCB. MSCB still in init state. Address:98:03:d8:ae:b2:34' hostname: '192.168.x.y' program_name: 'Cisco-WAC' log: '*Feb 26 08:38:36.316: %APF-4-REGISTER_IPADD_ON_MSCB_FAILED: apf_foreignap.c:1281 Could not Register IP Add on MSCB. MSCB still in init state. Address:98:03:d8:ae:b2:34' **Phase 2: Completed decoding. No decoder matched. **Phase 3: Completed filtering (rules). Rule id: '1002' Level: '2' Description: 'Unknown problem somewhere in the system.' **Alert to be generated. There is no srcip, so of course the rule won't match. > ossec-logtest doesn't seem to accept the -f switch (in my install), did you > mean -d for debug? Attached the output I got with -d. > > Best, > Fredrik > > On Tuesday, February 26, 2013 12:07:51 AM UTC+1, srossan wrote: >> >> I don't see how your log is related to rule 1002 ( <if_sid>1002</if_sid>). >> I suggest you remove this line as well. You can test your new rule with >> ossec-logtest -f, it will give you insight on your rules hierarchy. >> >> -Stephane >> >> On Feb 25, 2013 2:56 PM, "Kevin Kelly" <ke...@whitman.edu> wrote: >> > >> > I believe the problem is: <srcip>192.168.x.y</srcip> >> > >> > There is no IP address in the log entry, so the source IP will never >> > match. Maybe you could use <hostname></hostname> instead? >> > >> > -- >> > Kevin Kelly >> > Director, Network Technology >> > Whitman College >> > >> > ________________________________ >> > From: "Fredrik" <fredri...@gmail.com> >> > To: ossec...@googlegroups.com >> >> > Sent: Monday, February 25, 2013 1:49:14 AM >> > Subject: [ossec-list] Rule creation to supress email alert >> > >> > >> > Hello! >> > >> > I have read some of the similar posts, but can't seem to get it to work. >> > I'm trying to stop the following (syslog) message from generating an alert >> > - >> > while the underlying cause is being dealt with: >> > >> > Feb 25 09:40:31.464 apf_foreignap.c:1281 >> > APF-4-REGISTER_IPADD_ON_MSCB_FAILED: Could not Register IP Add on MSCB. >> > MSCB >> > still in init state. Address:00:40:96:a7:50:c6 >> > >> > I have added a rule to local_rules.xml: >> > >> > <!-- This was put in place to silence alerts generated by the Cisco WAC >> > --> >> > <rule id="100002" level="2"> >> > <if_sid>1002</if_sid> >> > <srcip>192.168.x.y</srcip> >> > <match>%APF-4-REGISTER_IPADD_ON_MSCB_FAILED: </match> >> > <options>no_email_alert</options> >> > </rule> >> > >> > I have tried different match-strings, with/without ip-address but I >> > can't seem to get a hit on my custom filter when using the ossec-logtest >> > binary and the message keeps generating email alerts, >> > >> > What have I got wrong?! >> > >> > Fredrik >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an email to ossec-list+...@googlegroups.com. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an email to ossec-list+...@googlegroups.com. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.