Exclude patterns from a rule

[Andre Pawlowski]

Hey guys,

I have the following problem. I used ossec on my servers and the rule
1002 "Unknown problem somewhere in the system." fires all the time. I
know this log entries and want to stop ossec from sending me mails when
this patterns come along. The rule uses a bad word list and I can delete
the words fire the rule. But I want unknown log entries with words like
"error" or "failure" send to me too.

So, is it possible to exclude a (for example regex) pattern from a rule?
The log entries are some of these:

Apr 25 23:31:55 servername smartd[7657]: Device: /dev/hda, SMART Prefailure Attribute: 1 Raw_Read_Error_Rate changed from 88 to 87

or

Apr 25 10:33:40 servername HORDE[14046]: [horde] Error retrieving session data (id = 97c2565csadf126asdf9deacd): Lock wait timeout exceeded; try restarting transaction [pid 14046 on line 144 of "/dir/to/horde/lib/Horde/SessionHandler/mysql.php"]

I hope you can help me. Thanks in advance

--

Andre Pawlowski

-------------------------------------------------------------------

If you could be God's worst enemy or nothing, which would you choose?
-Chuck Palahniuk

[ddp]

Create local rules that match on the entries you want to ignore and
set them to a low level (level="0"). You may need to include
"<if_sid>1002</if_sid>" in some of these rules to get them to work
instead of ossec firing 1002 alerts off instead.
dan

[Andre Pawlowski]

ddp wrote:
> Create local rules that match on the entries you want to ignore and
> set them to a low level (level="0"). You may need to include
> "<if_sid>1002</if_sid>" in some of these rules to get them to work
> instead of ossec firing 1002 alerts off instead.
> dan
>
>

Ok, I created a local rule in syslog_rules.xml.

The regex is:
\[horde\] Error retrieving session data \(id = [a-f0-9]+\): Lock wait

timeout exceeded; try restarting transaction

for logentries like:

Apr 25 10:33:40 servername HORDE[14046]: [horde] Error retrieving
session data (id = 97c2565csadf126asdf9deacd): Lock wait timeout
exceeded; try restarting transaction [pid 14046 on line 144 of
"/dir/to/horde/lib/Horde/SessionHandler/mysql.php"]

I checked the regex with an regex online checker and the expression
should match this entry. But my rule still didn't fire instead of the
"Unknown problem somewhere in the system." id 1002. I put my local rule
in the same group with the 1002 rule and it looks like:

<rule id="500" level="10">
<match>\[horde\] Error retrieving session data \(id = [a-f0-9]+\):
Lock wait timeout exceeded; try restarting transaction</match>
<options>alert_by_email</options>
<description>TEST</description>
</rule>

But it doesn't fire. Any ideas?

Thanks in advance

--

Andre Pawlowski

-------------------------------------------------------------------

Warum fallen wir?
Damit wir lernen können, uns wieder aufzurappeln.
-Batman Begins (Thomas Wayne)

[matthias platzer]

hi,

On May 3, 12:30 pm, Andre Pawlowski <sq...@h4des.org> wrote:
[...]

> The regex is:
> \[horde\] Error retrieving session data \(id = [a-f0-9]+\): Lock wait
> timeout exceeded; try restarting transaction

The ossec regexp syntax is a bit different, check out:
http://www.ossec.net/wiki/index.php/Know_How:Regex_Readme

And you should test your rules with the ossec-logtest tool.

>   <rule id="500" level="10">
>     <match>\[horde\] Error retrieving session data \(id = [a-f0-9]+\):
> Lock wait timeout exceeded; try restarting transaction</match>
>     <options>alert_by_email</options>
>     <description>TEST</description>
>   </rule>
>
> But it doesn't fire. Any ideas?

See above, also you should include something like <if_sid>1002</
if_sid>.

regards,
m

[ddp]

The following worked for me using ossec-logtest:

<rule id="7000000" level="10">
<if_sid>1002</if_sid>
<program_name>HORDE</program_name>
<regex>Error retrieving session data \(id = \w+\): Lock wait
timeout exceeded; try restarting transaction</regex>
<description>TEST</description>
</rule>

It can probably be cleaned up a bit.
dan