OSSEC - Disable server authdaemond failure alerts - rule 1002

OSSEC is installed on my VPS and I'm getting regular email level 2 alerts with eg the following content:

Received From: server->/var/log/maillog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Oct 12 10:07:45 server authdaemond: Failed to getpwnam for user marketing

Open in new window

They must be phishing attempts, and after x-number the ip is blocked by lfd. How can I suppress these particular alert emails?
Who is Participating?
btanConnect With a Mentor Exec ConsultantCommented:
User also seeing rules with lower level even if they set the <email_alert_level> to higher level. Some rules have an option set to force OSSEC into sending an alert email. This option is <options>alert_by_email</options>. Most of the time, user can use this option to have individual rules override the global level. One of these rules that override global is 1002. To ignore this rules you will have to create a rule to specifically ignore it, or overwrite the rule without the alert_by_email option.

Sending alerts via E-Mail

ossec.conf: Granular Email options

ossec.conf: Alerts Options

Before that, note that rule 1002 is a catch-all rule. It looks for keywords that are generally considered “bad.” It also means there is not currently a rule that deals with the log message. It is configured to always send an email when it’s triggered. I understand that many users have found it annoying and in your case, the "brute force attack" seems to be flooding the log and not that good indeed.

Overall, the best thing to do when you encounter something that triggers rule 1002 is write a rule. In this case, maybe a rule to specifically filter out this - I am not a expert in ossec though but see if this article helps (not the actual error you see


ossec-logtest - http://www.ossec.net/doc/programs/ossec-logtest.html
David Johnson, CD, MVPOwnerCommented:
Other than turning off level 2 alerts  There probably is not much  you can do or should do realize that a surplus of information can be annoying but it is better than zero information later on down the road you could in your mail client filter the messages and mark them as read upon reciept
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.