Hi all, I'm running into an issue where rule 510 is triggering and I'm getting spammed with alerts but I can't seem to tune it correctly. What's weird is that I am still getting alerted for rule 510 for this log, but I can't figure out how to get that to show in logtest. Basically, I am getting spammed with rule 510 and trying to filter it down more and here is what happens when I enter the log in logtest: .... any ideas on how to fix this?
**Phase 1: Completed pre-decoding. full event: 'File '/var/lib/docker/devicemapper/mnt/acbc57824bbcbeae3b511a861c7d4aafc7c4f2351ff2c1125d29f06cdb0e4b84/rootfs/opt/apps-server/.cache/Tradeshift.Offline.css' is owned by root and has written permissions to anyone.' hostname: 'hostname' program_name: '(null)' log: 'File '/filepath/' is owned by root and has written permissions to anyone.' **Phase 2: Completed decoding. decoder: 'docker_root' id: '/filepath/' -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.