Hi all,
I'm running into an issue where rule 510 is triggering and I'm getting
spammed with alerts but I can't seem to tune it correctly. What's weird is
that I am still getting alerted for rule 510 for this log, but I can't
figure out how to get that to show in logtest. Basically, I am getting
spammed with rule 510 and trying to filter it down more and here is what
happens when I enter the log in logtest: .... any ideas on how to fix
this?
**Phase 1: Completed pre-decoding.
full event: 'File
'/var/lib/docker/devicemapper/mnt/acbc57824bbcbeae3b511a861c7d4aafc7c4f2351ff2c1125d29f06cdb0e4b84/rootfs/opt/apps-server/.cache/Tradeshift.Offline.css'
is owned by root and has written permissions to anyone.'
hostname: 'hostname'
program_name: '(null)'
log: 'File '/filepath/' is owned by root and has written permissions
to anyone.'
**Phase 2: Completed decoding.
decoder: 'docker_root'
id: '/filepath/'
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
