Awesome, I'll give that a shot. Thanks. On Thursday, February 25, 2016 at 1:57:06 PM UTC-5, dan (ddpbsd) wrote: > > On Thu, Feb 25, 2016 at 1:50 PM, thak <tha.k...@gmail.com <javascript:>> > wrote: > > I've seen similar topics, so apologies if this has been answered several > > times but I want to make sure I get guidance for the most recent > version! > > > > Loving OSSEC so far having set it up in our environment a few days ago. > > However, rule 1002 is particularly chatty given our Apache error logs. > > Basically, our application's identity API has a ping function that runs > > every 5 seconds to check for an authenticated session. It will do this > even > > once the user's session has timed out, so long as that browser or tab is > > open. We have a lot of customers who time out but don't close the tab > > (understandably). So when the ping.json function runs, it generates a > few > > log entries with the term "error", specifically > > https://app-identity.thak.com/idm/error/... > > > > In our application this is obviously expected, and we can purge > error_log > > when it gets too big filling with this stuff, but OSSEC is piling up > alerts > > multiple times per minute, and from our security perspective it's really > > just noise. > > > > Can I set up a local rule to > > <match>https://app-identity.thak.com/idm/error/</match> without an > email > > alert that will trump the default "Unknown problem somewhere in the > system" > > alert for logs containing "error" terminology? I'm really new to writing > > custom rules but it seems like that wouldn't be too difficult, and > throwing > > that local rules file on our proxies would solve this problem. > > > > Depending on the actual log, that should work. Add an > "<if_sid>1002</if_sid>" to your custom rule to make sure it over rides > the 1002 alerts. > So something like this: > <rule id="9999999" level="0"> > <if_sid>1002</if_sid> > <match>https://app-identity.thak.com/idm/error/</match> > <description>Ignore blah blah</description> > </rule> > > Put that in place and use ossec-logtest to make sure it works. > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
