Splunk + Ossec Successful sudo to ROOT executed
satish patel
again and again. How to get ride on this. How to change rules to
ignore only following message ?
** Alert 1299088508.45319: - syslog,sudo
2011 Mar 02 09:55:08 vmg035->/var/log/auth.log
Rule: 5402 (level 3) -> 'Successful sudo to ROOT executed'
Src IP: (none)
User: root
Mar 2 09:55:07 vmg035 sudo: root : TTY=pts/1 ;
PWD=/opt/splunk/etc/apps/ossec/bin ; USER=root ;
COMMAND=/var/ossec/bin/agent_control -l
-Satish
dan (ddp)
<rule id="SOME_ID" level="0">
<if_sid>5402</if_sid>
<user>root</user>
<match>/opt/splunk/etc/apps/ossec/bin</match>
<description>Ignore splunk.</description>
</rule>
satish patel
5402 or 5400
because before i used 5402 which didn't work than after i changed it
to 5400 and it resolved. still confused
satish patel
created rules to ignore keywords in /var/ossec/rules/local_rules.xml
<rule id="100002" level="0">
<if_sid>5400</if_sid>
<match>agent_control</match>
<description>Events ignored for splunk</description>
</rule>
On Wed, Mar 2, 2011 at 1:01 PM, satish patel <sati...@gmail.com> wrote:
dan (ddp)
that's what I used.
If you want to ignore rule id 5400, use 5400. If you want to ignore
rule id 5402 then use 5402.
Nate Woodward
when the user executes sudo from the /opt/splunk/etc/apps/ossec/bin
directory. Maybe try removing the <match> part?
dan (ddp)
ignoring the splunk OSSEC app.
I like to be as specific as possible in my rules. Hopefully less false
negatives that way...
On Wed, Mar 2, 2011 at 3:57 PM, Nate Woodward
<nate.w...@the-connection.com> wrote:
> Looks to me like your original rule (with id_sid=5402) is only matching
> when the user executes sudo from the /opt/splunk/etc/apps/ossec/bin
> directory. Maybe try removing the <match> part?
>
>> -----Original Message-----
>> From: satish patel [mailto:sati...@gmail.com]
>> Sent: Wednesday, March 02, 2011 2:33 PM
>> To: ossec...@googlegroups.com
Nate Woodward
notifications. Re-reading, I can see that's obviously not the case.
Sorry, my bad.