OSSEC - Disable server authdaemond failure alerts - rule 1002

OSSEC is installed on my VPS and I'm getting regular email level 2 alerts with eg the following content:

Received From: server->/var/log/maillog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Oct 12 10:07:45 server authdaemond: Failed to getpwnam for user marketing

Open in new window


They must be phishing attempts, and after x-number the ip is blocked by lfd. How can I suppress these particular alert emails?
LVL 1
ncwAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
Other than turning off level 2 alerts  There probably is not much  you can do or should do realize that a surplus of information can be annoying but it is better than zero information later on down the road you could in your mail client filter the messages and mark them as read upon reciept
0
btanExec ConsultantCommented:
User also seeing rules with lower level even if they set the <email_alert_level> to higher level. Some rules have an option set to force OSSEC into sending an alert email. This option is <options>alert_by_email</options>. Most of the time, user can use this option to have individual rules override the global level. One of these rules that override global is 1002. To ignore this rules you will have to create a rule to specifically ignore it, or overwrite the rule without the alert_by_email option.

Sending alerts via E-Mail
http://www.ossec.net/doc/manual/output/email-output.html

ossec.conf: Granular Email options
http://www.ossec.net/doc/syntax/head_ossec_config.email_alerts.html

ossec.conf: Alerts Options
http://devio.us/~ddp/ossec/docs27/syntax/head_ossec_config.alerts.html?highlight=alert_by_email


Before that, note that rule 1002 is a catch-all rule. It looks for keywords that are generally considered “bad.” It also means there is not currently a rule that deals with the log message. It is configured to always send an email when it’s triggered. I understand that many users have found it annoying and in your case, the "brute force attack" seems to be flooding the log and not that good indeed.

Overall, the best thing to do when you encounter something that triggers rule 1002 is write a rule. In this case, maybe a rule to specifically filter out this - I am not a expert in ossec though but see if this article helps (not the actual error you see

http://ddpbsd.blogspot.sg/2010/10/ossec-rules-101.html
http://rolfsa.blogspot.sg/2009/05/ossec-active-responses.html

ossec-logtest - http://www.ossec.net/doc/programs/ossec-logtest.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Security

From novice to tech pro — start learning today.