I'm confused about how to use the rule types built into the OSSEC log rule syntax.
I have a localfile declared in my /var/ossec/etc/shared/agent.conf.... *agent_config name="centrallogger"> <localfile> <location>/var/log/LOC/*.log</location> <log_format>syslog</log_format> </localfile></agent_config>* This is a central logging "catchall" server that I send multiple systems logs to and I run an OSSEC agent on that syslog server to watch all the logs. So all .log files in /var/log/LOC on server1 should be syslog format.... I'm receiving alerts from these logs just fine. Alerts come from "centrallogger" but the first line states the location so I know which server the alert is referencing. There are some scripting errors on one of the servers sending logs to "centrallogger" and I want to filter them out. So I wrote a rule in local.rules on my OSSEC server that included a <srcip> declaration: <rule id="100073" level="0"> <if_sid>5720</if_sid> <srcip>192.168.1.5</srcip> <hostname>centrallogger</hostname> <description>scripted maint failing on interconnect links</description> </rule> To suppress the alert I was receiving below......... *OSSEC HIDS Notification.* *2016 Aug 18 08:36:29* *Received From: (centrallogger) 10.147.130.0->/var/log/LOC/loggedserver1.log* *Rule: 5720 fired (level 10) -> "Multiple SSHD authentication failures."* *Portion of the log(s):* * Aug 18 07:30:25 192.168.1.5 sshd[20247]: [ID 800047 auth.notice] Failed none for root from 192.168.1.1 port 36942 ssh2 Aug 18 07:30:24 * *192.168.1.5 sshd[20227]: [ID 800047 auth.notice] Failed none for root from 192.168.1.1 port 36941 ssh2Aug 18 07:30:23* * 192.168.1.5 sshd[20205]: [ID 800047 auth.notice] Failed none for root from 192.168.1.1 port 36939 ssh2 *And the suppression is not working. I've also attempted a <match> on ASCII text "Failed none for root". I've historically had issues getting matching to work in log messages and I'm wondering if this has something to do with using a wildcard, or if my syslog log format decoder is not working properly? If I'm using <srcip> OSSEC has to recognize where the SRCIP is in the syslog string? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
