Ignoring parts of syslog
Brian Avis
certain errors? For example I put ossec on our mail server which is
running dspam. In /var/log/syslog we get a lot of these type of errors
dspam[20881]: [ID 795625 mail.warning] process_message returned error
-5. delivering message.
that ossec is picking up on and sending to me via e-mail. After a
couple of hundred of those a day for a few days... the whole thing
starts to become pointless.
The whole message looks like this.
OSSEC HIDS Notification.
2006 Oct 09 07:09:27
Received From: unknown->/var/log/syslog
Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system."
Portion of the log(s):
dspam[20881]: [ID 795625 mail.warning] process_message returned error
-5. delivering message.
--END OF NOTIFICATION
I suppose I could set it to either ignore syslog or to not fire off a
message unless the alert level is 8, but those seem a bit drastic. Is
there another way?
--
Brian Avis
SEARHC Medical Clinic
Juneau, AK 99801
(907) 463-4049
Have a nice diurnal anomaly!
Scot Gardner
http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules
Scot
________________________________________________
Scot Gardner
System Administrator
Antietam Cable
sgar...@myactv.net
(301) 797.5000 x4054
Brian Avis
This is what I put into the rules/local_rules.xml file in this group....
<group name="local,syslog,">
#other example stuff added by ossec
<rule id="1002" level="0">
<if_sid>1002</if_sid>
<match>process_message</match>
<description>Mail delivery messages ignored</description>
</rule>
</group>
In ossec.conf it already includes that file in the rules section (I
think anyways).
<include>local_rules.xml</include>
And again... here is the bit in syslog I am trying to ignore.
OSSEC HIDS Notification.
2006 Oct 09 12:01:58
Received From: unknown->/var/log/syslog
Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system."
Portion of the log(s):
dspam[8355]: [ID 795625 mail.warning] process_message returned error -5.
delivering message.
--END OF NOTIFICATION
I just want it to ignore rule 1002 if it is a mail process_message
error, which is why I put in the bit with <match>process_message</match>
So any hints as to where I screwed up?
Do I have to match on this line? Rule: 1002 fired (level 7) -> "Unknown
problem somewhere in the system." Instead of the portion of the logs
that I want to match on?
And yes... I restarted ossec on that box after changing the rules files.
Meir Michanie
<rule id="10002" level="0">
<if_sid>1002</if_sid>
<match>process_message</match>
<description>Mail delivery messages ignored</description>
</rule>
Francesca Smith
Brian,
The "rule id" needs to start with 100000 and on up to 109999 (User Rule's
Reserve Area) ..
That part of the wiki is not clear I must confess ..
if_sid is ok though that matches the actual "referring" rule
Like So ..
<rule id="100001" level="0">
--
Kindest Regards,
Francesca Smith
"No Problems Only Solutions"
Lady Linux Internet Services
Baltimore, Maryland 21217
Brian Avis
Okay... I tried changing the rule id and restarted ossec. Still not
working. Here is my local_rules.xml file from /var/ossec/rules
My filter is at the bottom of local_rules.xml and the bit I am trying to
filter is at the bottom of this message.
<!-- Example of local rules for ossec.
- Author: Daniel B. Cid
- Date: Sep 15, 2006
-->
<!-- Modify it at your will. -->
<group name="local,syslog,">
<!-- Note that rule id 5711 is defined at the ssh_rules file
- as a ssh failed login. This is just an example
- since ip 1.1.1.1 shouldn't be used anywhere.
- Level 0 means ignore.
-->
<rule id="100001" level="0">
<if_sid>5711</if_sid>
<srcip>1.1.1.1</srcip>
<description>Example of rule that will ignore sshd </description>
<description>failed logins from IP 1.1.1.1.</description>
</rule>
<!-- This example will ignore ssh failed logins for the user name XYZABC.
-->
<!--
<rule id="100020" level="0">
<if_sid>5711</if_sid>
<user>XYZABC</user>
<description>Example of rule that will ignore sshd </description>
<description>failed logins for user XYZABC.</description>
</rule>
-->
<!-- Specify here a list of rules to ignore. -->
<!--
<rule id="100030" level="0">
<if_sid>12345, 23456, xyz, abc</if_sid>
<description>List of rules to be ignored.</description>
</rule>
-->
(root) mail # cat local_rules.xml
<!-- Example of local rules for ossec.
- Author: Daniel B. Cid
- Date: Sep 15, 2006
-->
<!-- Modify it at your will. -->
<group name="local,syslog,">
<!-- Note that rule id 5711 is defined at the ssh_rules file
- as a ssh failed login. This is just an example
- since ip 1.1.1.1 shouldn't be used anywhere.
- Level 0 means ignore.
-->
<rule id="100001" level="0">
<if_sid>5711</if_sid>
<srcip>1.1.1.1</srcip>
<description>Example of rule that will ignore sshd </description>
<description>failed logins from IP 1.1.1.1.</description>
</rule>
<!-- This example will ignore ssh failed logins for the user name XYZABC.
-->
<!--
<rule id="100020" level="0">
<if_sid>5711</if_sid>
<user>XYZABC</user>
<description>Example of rule that will ignore sshd </description>
<description>failed logins for user XYZABC.</description>
</rule>
-->
<!-- Specify here a list of rules to ignore. -->
<!--
<rule id="100030" level="0">
<if_sid>12345, 23456, xyz, abc</if_sid>
<description>List of rules to be ignored.</description>
</rule>
-->
<rule id="100002" level="0">
<if_sid>1002</if_sid>
<match>process_message</match>
<description>Mail delivery messages ignored</description>
</rule>
</group> <!-- SYSLOG,LOCAL -->
<!-- EOF -->
Meir Michanie wrote:
> use rule id=1000x
>
> <rule id="10002" level="0">
> <if_sid>1002</if_sid>
> <match>process_message</match>
> <description>Mail delivery messages ignored</description>
> </rule>
>