Exclude rule

[Dmitriy Shvedchenko]

Hello there,

could someone help me exclude this message from ossec:

OSSEC HIDS Notification.
2018 Mar 01 11:02:10

Received From: mail->/var/log/messages
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Mar  1 11:02:10 mail systemd-logind: Failed to remove runtime directory /run/user/0: Device or resource busy



 --END OF NOTIFICATION

i've  created local rule for exlucde, but this rule doesn't work:

 <rule id="400001" level="0">

    <options>no_email_alert</options>

    <!--<if_group>syscheck</if_group>-->

    <if_sid>1002</if_sid>

    <program_name>systemd-logind</program_name>

    <match>Failed to remove runtime directory /run/user/0: Device or resource busy</match>

    <description>ignore this message</description>

  </rule>

Could pls someone tell me, that i am doing wrong? Thank you in advance!

[Bruce Westbrook]

Dmitriy, custom rules can only be numbered between 100,000 and 119,999.  Change the rule number you used (400,001) to between the allowed range.

You can then use the ossec-logtest binary to test your config before deploying it.  Other than the rule number your syntax appears to be fine.

- Bruce

[Dmitriy Shvedchenko]

Bruce, thank you very much for the information. Will test with new rule number.

четверг, 1 марта 2018 г., 14:37:04 UTC+1 пользователь Bruce Westbrook написал:

[Dmitriy Shvedchenko]

Unfortunately the rule still doesn't work.

Also changed to:

<rule id="100000" level="0">

    <options>no_email_alert</options>

    <if_matched_group>syscheck</if_matched_group>

    <!--<if_sid>1002</if_sid>-->

    <program_name>systemd-logind</program_name>

    <match>Failed to remove runtime directory /run/user/0: Device or resource busy</match>

    <description>ignore this message</description>

  </rule>

and still getting the mails

четверг, 1 марта 2018 г., 11:11:20 UTC+1 пользователь Dmitriy Shvedchenko написал: