Hey everyone,
In trying to do some tuning to ignore overly noisy logs messages I dont care about I`m running into an issue and I`m hoping someone here can help me with this.
I have this log being generated I want to ignore:
2020 Jul 16 09:24:58 WinEvtLog: System: ERROR(36871): Schannel: SYSTEM: NT AUTHORITY:
somerandomserver.public.mycorp.com: A fatal error occurred while creating an SSL client credential. The internal error state is 10013
I created/added the following into local.rules:
<rule id="200010" level="0">
<if_sid>18103</if_sid>
<id>^36871$</id>
<user>SYSTEM</user>
<match>Schannel</match>
<description>ignore schannel errors</description>
</rule>
When I then run the log through ossec-logtest I get the following showing it is matching at level 0
root@SEC02:/var/ossec/bin# ./ossec-logtest
2020/07/16 13:26:52 ossec-testrule: INFO: Reading local decoder file.
2020/07/16 13:26:52 ossec-testrule: INFO: Started (pid: 74716).
ossec-testrule: Type one log per line.
2020 Jul 16 09:24:58 WinEvtLog: System: ERROR(36871): Schannel: SYSTEM: NT AUTHORITY:
somerandomserver.public.mycorp.com: A fatal error occurred while creating an SSL client credential. The internal error state is 10013.
**Phase 1: Completed pre-decoding.
full event: '2020 Jul 16 09:24:58 WinEvtLog: System: ERROR(36871): Schannel: SYSTEM: NT AUTHORITY:
somerandomserver.public.mycorp.com: A fatal error occurred while creating an SSL client credential. The internal error state is 10013.'
hostname: 'SEC02'
program_name: '(null)'
log: '2020 Jul 16 09:24:58 WinEvtLog: System: ERROR(36871): Schannel: SYSTEM: NT AUTHORITY:
somerandomserver.public.mycorp.com: A fatal error occurred while creating an SSL client credential. The internal error state is 10013.'
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'ERROR'
id: '36871'
extra_data: 'Schannel'
dstuser: 'SYSTEM'
**Phase 3: Completed filtering (rules).
Rule id: '200010'
Level: '0'
Description: 'ignore schannel errors'
The log however is still being forwarded into my splunk server from OSSEC - any idea's on what I`m doing wrong and how to prevent these logs from being forwarded?
Also, I do have log_alert_level as 1 in ossec.conf:
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
Any suggestions would be great.
Thanks --