I have modified my syslog_rules.xml to exclude alerts for standard OSX
Server error messages and while they work in ossec-logtest they do not
alter the alerting policy on the server.
Rule from syslog_rules:
1002
servermgrd
no_email_alert
Server Manager errors ignore
E
I am having somewhat of a similar issue.
I have OSSEC 2.7.1 running on a server and one of the agents that I am
monitoring is running a zimbra/postfix mail server.
There are two alerts that I am having issue with (Invalid Password and
Account Lockout)
I tested locking out an account by rapid s
What happens if you stop modifying syslog_rules.xml and add your rules
to local_rules.xml?
On Mon, Apr 16, 2012 at 11:59 AM, sklauminzer wrote:
> I have modified my syslog_rules.xml to exclude alerts for standard OSX
> Server error messages and while they work in ossec-logtest they do not
> alter
Since you mentioned this -
On Mon, Apr 16, 2012 at 11:59 AM, sklauminzer wrote:
> This is happening with all syslog_rules.xml modifications, but
> msauth_rules.xml mods *are* working.
>
>
Is it possible that there is a copy of your syslog-rules.xml file that is
triggering the rule 1002?
If you
Yes, Only 1 entry is returned:
grep "rule id=\"1002\"" /var/ossec/rules/*.xml
/var/ossec/rules/syslog_rules.xml:
Scott
On Apr 18, 2012, at 1:08 PM, Christopher Moraes wrote:
> Since you mentioned this -
>
> On Mon, Apr 16, 2012 at 11:59 AM, sklauminzer wrote:
> This is happening with all
Scott,
Can you try this -
1. Shutdown ossec
2. Wait for a minute
3. Check that no ossec processes are running (ps -eaf | grep ossec)
4. Start OSSEC and check if you are still getting the alerts
On Thu, Apr 19, 2012 at 11:19 AM, Scott Klauminzer wrote:
> Yes, Only 1 entry is returned:
>
> g
I think you've hit it Christopher.
I hadn't been checking to see that the process tree had stopped. It appears
that at one point in the past the tree failed to respond.
After waiting 10 minutes the tree was still active, I killed all ossec proceses
and it now responds as I would expect to the s
I think you've hit it Christopher.
I hadn't been checking to see that the process tree had stopped. It appears
that at one point in the past the tree failed to respond.
After waiting 10 minutes the tree was still active, I killed all ossec proceses
and it now responds as I would expect to the s
