2

I installed Ossec in a monitor/agent configuration on a few servers of mine. Everything works greats.

The only thing that annoy me is that I keep receiving alerts after logrotate rotates the log I watch.

Now my mailbox is full of Rule: 550 fired (level 7) -> "Integrity checksum changed." mails, which downs my signal/noise ratio. I am afraid I won't look carrefully those alerts if I get dozen of false positive a day.

How can I handle the situation ? How can I make ossec aware of log rotations so it doesn't mail me each times it happens ?

calve
  • 103

2 Answers2

0

You could create another OSSEC rule that fires in response to 550. Say your logrotate rolls over logs every tuesday at midnight. According to the OSSEC rules syntax, you can specify "time" and "weekday" tags to whitelist logrotate. So if that rule fires at that day and time, we disable emailing and downgrade it to say, level 2.

Of course, this assumes that log rotate is the program actually doing the moving. You could expand this further to customize the reporting. Eg., escalation to level 14 if the whitelist rule gets fired more than once in the timespan of 10 minutes (what's logrotate doing?).

Ohnana
  • 101
0

Add the following rule in your local_rules.xml file.

<rule id="550" level="7" overwrite="yes"> <category>ossec</category> <decoded_as>syscheck_integrity_changed</decoded_as> <hostname>your_server_name</hostname> <match>logrotate</match> <options>no_email_alert</options> <description>No email alerts for Integrity checksum changed for logrotate.</description> <group>syscheck,</group> </rule>

OSSEC will look at local_rules.xml first before looking at other rules, so it will apply the <options>no_email_alert</options> directive, but only to hosts/servers defined in the <hostname> directive, and for those matching the logrotate keyword in the alerts.

JSL
  • 21