On Wed, Nov 25, 2015 at 2:19 PM, Daniel Bray <dbray...@gmail.com> wrote: > On Wednesday, November 25, 2015 at 1:46:15 PM UTC-5, LostInThe Tubez wrote: >> >> On the OSSEC server, open /var/ossec/rules/syslog_rules.xml. Search for >> rule 1002, right there towards the top. Note the options element, which >> contains alert_by_email. That option tells OSSEC to ignore your >> email_alert_level and just send an email every time this rule matches. As >> you have seen, rule 1002 is a catch-all heuristics rule that attempts to >> identify problems in logs based on certain keywords. >> >> > > Thank you, that explains why level 2 alerts are generating the emails for > the "BAD_WORDS". I was under the impression that the default level of 7 was > for all types of rules, but that is clear now. > > I'm now left with the feeling of that is the main cause of these alerts > coming in, even though I have the filters in local_rules.xml, level 2 alerts > are still coming in. Even when logtest shows that it should stop. Here is > another simple example of a local_rule working for logtest, but still > generating email alerts . > > /var/ossec/rules/local_rules.xml > <rule id="100010" level="0"> > <program_name>accelerator</program_name> > <regex>Update peer failed with code 22</regex> > <description>Ignore Expand Warnings</description> > </rule> > > /var/ossec/bin/ossec-logtest > 2015/11/25 19:15:23 ossec-testrule: INFO: Reading local decoder file. > 2015/11/25 19:15:24 ossec-testrule: INFO: Started (pid: 6713). > ossec-testrule: Type one log per line. > > Nov 25 19:11:45 x.x.x.x accelerator[4124]: Update peer failed with code > 22. > > > **Phase 1: Completed pre-decoding. > full event: 'Nov 25 19:11:45 x.x.x.x accelerator[4124]: Update > peer failed with code 22.' > hostname: 'x.x.x.x' > program_name: 'accelerator' > log: ' Update peer failed with code 22.' > > **Phase 2: Completed decoding. > No decoder matched. > > **Phase 3: Completed filtering (rules). > Rule id: '100010' > Level: '0' > Description: 'Ignore Expand Warnings' > > > So, even though logtest shows it will be a Level: '0', I still get an email > alert as: > > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." >
And strangely enough, this works just fine for me (ignored when fed through logger). Can you update to the latest OSSEC source from github and try that? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.