I've seen similar topics, so apologies if this has been answered several times but I want to make sure I get guidance for the most recent version!
Loving OSSEC so far having set it up in our environment a few days ago. However, rule 1002 is particularly chatty given our Apache error logs. Basically, our application's identity API has a ping function that runs every 5 seconds to check for an authenticated session. It will do this even once the user's session has timed out, so long as that browser or tab is open. We have a lot of customers who time out but don't close the tab (understandably). So when the ping.json function runs, it generates a few log entries with the term "error", specifically https://app-identity.thak.com/idm/error/... In our application this is obviously expected, and we can purge error_log when it gets too big filling with this stuff, but OSSEC is piling up alerts multiple times per minute, and from our security perspective it's really just noise. Can I set up a local rule to <match>https://app-identity.thak.com/idm/error/</match> without an email alert that will trump the default "Unknown problem somewhere in the system" alert for logs containing "error" terminology? I'm really new to writing custom rules but it seems like that wouldn't be too difficult, and throwing that local rules file on our proxies would solve this problem. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
