<rule id="531" level="7" ignore="7200">
<if_sid>530</if_sid>
- <match>ossec: output: 'df -h': /dev/</match>
+ <match>ossec: output: 'df -P': /dev/</match>
<regex>100%</regex>
<description>Partition usage reached 100% (disk space monitor).</description>
<group>low_diskspace,</group>
<group>syscheck,</group>
</rule>
- <rule id="554" level="0">
+ <rule id="554" level="5">
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to the system.</description>
Sat May 7 03:27:57 CDT 2011 /var/ossec/active-response/bin/firewall-drop.sh delete - 172.16.0.1 1304756247.60385 31151
-->
-<rule id="600" level="0">
+ <rule id="600" level="0">
<decoded_as>ar_log</decoded_as>
<description>Active Response Messages Grouped</description>
<group>active_response,</group>
<group>active_response,</group>
</rule>
+ <rule id="700" level="0">
+ <category>ossec</category>
+ <decoded_as>ossec-logcollector</decoded_as>
+ <description>Logcollector Messages Grouped</description>
+ </rule>
+
+ <rule id="701" level="0">
+ <if_sid>700</if_sid>
+ <match>INFO: </match>
+ <description>Ignore informational messages (usually at startup)</description>
+ </rule>
+
</group> <!-- OSSEC -->