[ossec-list] local_decoder.xml -- can't override (ignore) parent decoder

We use weave which periodically causes a network interface to enter promiscuous mode to sniff network traffic. This is expected behavior, and as such, I'm looking to ignore it. For reference, the iptables decoder is set at https://github.com/ossec/ossec-hids/blob/592d681ea07f9a8bf2bedb039ee94

[ossec-list] Re: local_decoder.xml -- can't override (ignore) parent decoder

;decoder: 'kernel' > > > **Phase 3: Completed filtering (rules). >Rule id: '100001' >Level: '0' >Description: 'Ignore rule 5104.' > > (I changed the name of the decoder from iptables to kernel). > > I

[ossec-list] Re: local_decoder.xml -- can't override (ignore) parent decoder

it works ;). > Regards. > > > On Wednesday, January 18, 2017 at 6:11:38 PM UTC+1, Daniel B. wrote: >> >> Jesus, thanks for the response. I'm aware of ossec-logtest always showing >> the name of the parent (which confused me until I RTFM). Using >> `ossec-l

[ossec-list] Alerts generated despite level '0' rule being hit

full_log: Files hidden inside directory '/var/lib/docker/aufs/mnt/545d04c068f0f7ce19361a94d1c43b0c6686a0dfdd45e1803ccee569acc1767b/usr/share/locale'. Lin

[ossec-list] Re: Alerts generated despite level '0' rule being hit

Yes, via ./ossec-control -r On Thursday, January 26, 2017 at 4:41:20 PM UTC-5, Daniel B. wrote: > > > <https://lh3.googleusercontent.com/-PjI5QG1OEt4/WIpsiYbmInI/AP8/XaaQ35illHgeh_zq_oAtMKNU6giFsek7QCLcB/s1600/2017-01-26_1638.png> > > > > full_log: >