I stopped them all (which appeared to work fine) and start again. Here is the rule and decoder I made for this (I want to alert only once if the same ID (filepath) has alerted in the past minute):
<rule id="80100" level="7" frequency="2" timeframe="60" ignore="120"> <if_matched_sid>510</if_matched_sid> <same_id /> <description>This is meant to reduce noise as these events happen in batches with not much difference in meaning.</description> </rule> DECODER: <decoder name="sample_decoder_setup"> <prematch>^(\.+) (\p/filepath\.+) </prematch> <regex>(/filepath/\.+/mnt/\.+/)</regex> <order>id</order> </decoder> Logtest returns the id I am looking for to match and that part works fine. It only gets to the first 2 steps though, and does not match it with a rule in logtest. On Wednesday, April 5, 2017 at 12:48:21 PM UTC-7, dan (ddpbsd) wrote: > > On Wed, Apr 5, 2017 at 3:44 PM, Rob Williams <tsinfo...@gmail.com > <javascript:>> wrote: > > Yes I have, I've also tried to disable all the relevant changes I've > made, > > restart, and still have the same issue. > > > > Try stopping the ossec processes, verify that ossec-analysisd has > stopped (sometimes it doesn't and causes issues), and start it back > up. > Can you also post the changes you made? > > > On Wednesday, April 5, 2017 at 12:39:42 PM UTC-7, dan (ddpbsd) wrote: > >> > >> On Wed, Apr 5, 2017 at 3:26 PM, Rob Williams <tsinfo...@gmail.com> > wrote: > >> > Hi all, > >> > > >> > I'm running into an issue where rule 510 is triggering and I'm > getting > >> > spammed with alerts but I can't seem to tune it correctly. What's > weird > >> > is > >> > that I am still getting alerted for rule 510 for this log, but I > can't > >> > figure out how to get that to show in logtest. Basically, I am > getting > >> > spammed with rule 510 and trying to filter it down more and here is > what > >> > happens when I enter the log in logtest: .... any ideas on how to > fix > >> > this? > >> > > >> > **Phase 1: Completed pre-decoding. > >> > > >> > full event: 'File '/filepath/' is owned by root and has > written > >> > permissions to anyone.' > >> > > >> > hostname: 'hostname' > >> > > >> > program_name: '(null)' > >> > > >> > log: 'File '/filepath/' is owned by root and has written > >> > permissions > >> > to anyone.' > >> > > >> > > >> > **Phase 2: Completed decoding. > >> > > >> > decoder: 'sample_decoder_setup' > >> > > >> > id: '/filepath/' > >> > > >> > >> Did you restart the OSSEC processes on the server after making your > >> modifications? > >> > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to ossec-list+...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.