I've pretty much already done that, and have had the same results. I've tried it with <if_sid>1002</if_sid> and without, I've tried it with <match> or with <regex>. Each time, logtest catches it as a "will not alert", but the emails still continue to come in.
On Wednesday, November 25, 2015 at 3:00:57 PM UTC-5, LostInThe Tubez wrote: > > Let's keep things simple for the purposes of troubleshooting. Verify a > basic rule works, then you can get as complex as you like. Try using this: > > <rule id="100010" level="0"> > <if_sid>1002</if_sid> > <match>Update peer failed with code 22</match> > <description>testing </description> > </rule> > > Also, copy/paste the exact alert message when/if you get one. Be very > careful not to replace white space if you are sanitizing the data. It will > allow us to corroborate what you are seeing. > > > From: ossec...@googlegroups.com <javascript:> [mailto: > ossec...@googlegroups.com <javascript:>] On Behalf Of Daniel Bray > Sent: Wednesday, November 25, 2015 12:20 PM > To: ossec-list <ossec...@googlegroups.com <javascript:>> > Subject: Re: [ossec-list] ossec-logtest returns Level 0 but still getting > email alerts Level 2 > > On Wednesday, November 25, 2015 at 1:46:15 PM UTC-5, LostInThe Tubez > wrote: > On the OSSEC server, open /var/ossec/rules/syslog_rules.xml. Search for > rule 1002, right there towards the top. Note the options element, which > contains alert_by_email. That option tells OSSEC to ignore your > email_alert_level and just send an email every time this rule matches. As > you have seen, rule 1002 is a catch-all heuristics rule that attempts to > identify problems in logs based on certain keywords. > > > Thank you, that explains why level 2 alerts are generating the emails for > the "BAD_WORDS". I was under the impression that the default level of 7 was > for all types of rules, but that is clear now. > > I'm now left with the feeling of that is the main cause of these alerts > coming in, even though I have the filters in local_rules.xml, level 2 > alerts are still coming in. Even when logtest shows that it should stop. > Here is another simple example of a local_rule working for logtest, but > still generating email alerts . > > /var/ossec/rules/local_rules.xml > <rule id="100010" level="0"> > <program_name>accelerator</program_name> > <regex>Update peer failed with code 22</regex> > <description>Ignore Expand Warnings</description> > </rule> > > /var/ossec/bin/ossec-logtest > 2015/11/25 19:15:23 ossec-testrule: INFO: Reading local decoder file. > 2015/11/25 19:15:24 ossec-testrule: INFO: Started (pid: 6713). > ossec-testrule: Type one log per line. > > Nov 25 19:11:45 x.x.x.x accelerator[4124]: Update peer failed with > code 22. > > > **Phase 1: Completed pre-decoding. > full event: 'Nov 25 19:11:45 x.x.x.x accelerator[4124]: Update > peer failed with code 22.' > hostname: 'x.x.x.x' > program_name: 'accelerator' > log: ' Update peer failed with code 22.' > > **Phase 2: Completed decoding. > No decoder matched. > > **Phase 3: Completed filtering (rules). > Rule id: '100010' > Level: '0' > Description: 'Ignore Expand Warnings' > > > So, even though logtest shows it will be a Level: '0', I still get an > email alert as: > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com <javascript:>. > For more options, visit https://groups.google.com/d/optout. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.