Hello Keith, It seems that the modifications made to your rule are not being applied. In order to apply the modifications made to the rules, you will need to restart the OSSEC service in your server. Also, make sure that the events that are being alerted are matching with all the conditions from your custom rule:
*<if_sid>18103</if_sid>* *<id>^36871$</id>* *<user>SYSTEM</user>* *<match>Schannel</match>* Once you restart your server, you should be applying the latest modifications made to your rule. I hope this helps. Regards, Jose Manuel Lopez On Thursday, July 16, 2020 at 3:40:23 PM UTC+2 Keith wrote: > Hey everyone, > > In trying to do some tuning to ignore overly noisy logs messages I dont > care about I`m running into an issue and I`m hoping someone here can help > me with this. > > I have this log being generated I want to ignore: > > 2020 Jul 16 09:24:58 WinEvtLog: System: ERROR(36871): Schannel: SYSTEM: NT > AUTHORITY: somerandomserver.public.mycorp.com: A fatal error occurred > while creating an SSL client credential. The internal error state is 10013 > > I created/added the following into local.rules: > > <rule id="200010" level="0"> > <if_sid>18103</if_sid> > <id>^36871$</id> > <user>SYSTEM</user> > <match>Schannel</match> > <description>ignore schannel errors</description> > </rule> > > When I then run the log through ossec-logtest I get the following showing > it is matching at level 0 > > root@SEC02:/var/ossec/bin# ./ossec-logtest > 2020/07/16 13:26:52 ossec-testrule: INFO: Reading local decoder file. > 2020/07/16 13:26:52 ossec-testrule: INFO: Started (pid: 74716). > ossec-testrule: Type one log per line. > > 2020 Jul 16 09:24:58 WinEvtLog: System: ERROR(36871): Schannel: SYSTEM: NT > AUTHORITY: somerandomserver.public.mycorp.com: A fatal error occurred > while creating an SSL client credential. The internal error state is 10013. > > > **Phase 1: Completed pre-decoding. > full event: '2020 Jul 16 09:24:58 WinEvtLog: System: ERROR(36871): > Schannel: SYSTEM: NT AUTHORITY: somerandomserver.public.mycorp.com: A > fatal error occurred while creating an SSL client credential. The internal > error state is 10013.' > hostname: 'SEC02' > program_name: '(null)' > log: '2020 Jul 16 09:24:58 WinEvtLog: System: ERROR(36871): > Schannel: SYSTEM: NT AUTHORITY: somerandomserver.public.mycorp.com: A > fatal error occurred while creating an SSL client credential. The internal > error state is 10013.' > > **Phase 2: Completed decoding. > decoder: 'windows' > status: 'ERROR' > id: '36871' > extra_data: 'Schannel' > dstuser: 'SYSTEM' > system_name: 'somerandomserver.public.mycorp.com' > > **Phase 3: Completed filtering (rules). > Rule id: '200010' > Level: '0' > Description: 'ignore schannel errors' > > The log however is still being forwarded into my splunk server from OSSEC > - any idea's on what I`m doing wrong and how to prevent these logs from > being forwarded? > > Also, I do have log_alert_level as 1 in ossec.conf: > > <alerts> > <log_alert_level>1</log_alert_level> > <email_alert_level>12</email_alert_level> > </alerts> > > Any suggestions would be great. > > Thanks -- > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/e7b708fb-7af6-4bec-b999-6176e79d542fn%40googlegroups.com.
