1<!-- @(#) $Id: syslog_rules.xml,v 1.22 2010/11/25 17:06:17 ddp Exp $ 2 - Official Generic Syslog rules for OSSEC. 3 - 4 - Copyright (C) 2009 Trend Micro Inc. 5 - All rights reserved. 6 - 7 - This program is a free software; you can redistribute it 8 - and/or modify it under the terms of the GNU General Public 9 - License (version 2) as published by the FSF - Free Software 10 - Foundation. 11 - 12 - License details: http://www.ossec.net/en/licensing.html 13 --> 14 15 16<!-- Default variables for the SYSLOG rules. --> 17 18<!-- Bad words matching. Any log containing these messages 19 - will be triggered. 20 --> 21<var name="BAD_WORDS">core_dumped|failure|error|attack| bad |illegal |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted</var> 22 23 24<!-- Syslog errors. --> 25<group name="syslog,errors,"> 26 <rule id="1001" level="2"> 27 <pcre2>^Couldn't open /etc/securetty</pcre2> 28 <description>File missing. Root access unrestricted.</description> 29 </rule> 30 31 <rule id="1002" level="2"> 32 <pcre2>$BAD_WORDS</pcre2> 33 <options>alert_by_email</options> 34 <description>Unknown problem somewhere in the system.</description> 35 </rule> 36 37 <rule id="1003" level="13" maxsize="1025"> 38 <description>Non standard syslog message (size too large).</description> 39 </rule> 40 41 <rule id="1004" level="5"> 42 <pcre2>^exiting on signal</pcre2> 43 <description>Syslogd exiting (logging stopped).</description> 44 </rule> 45 46 <rule id="1005" level="5"> 47 <program_name_pcre2>syslogd</program_name_pcre2> 48 <pcre2>^restart</pcre2> 49 <description>Syslogd restarted.</description> 50 </rule> 51 52 <rule id="1006" level="5"> 53 <pcre2>^syslogd \S+ restart</pcre2> 54 <description>Syslogd restarted.</description> 55 </rule> 56 57 <rule id="1007" level="7"> 58 <pcre2>file system full|No space left on device</pcre2> 59 <description>File system full.</description> 60 <group>low_diskspace,</group> 61 </rule> 62 63 <rule id="1008" level="5"> 64 <pcre2>killed by SIGTERM</pcre2> 65 <description>Process exiting (killed).</description> 66 <group>service_availability,</group> 67 </rule> 68 69 <rule id="1009" level="0"> 70 <if_sid>1002</if_sid> 71 <pcre2>terminated without error|can't verify hostname: getaddrinfo|</pcre2> 72 <pcre2>PPM exceeds tolerance</pcre2> 73 <description>Ignoring known false positives on rule 1002..</description> 74 </rule> 75 76 <rule id="1010" level="5"> 77 <pcre2>segfault at </pcre2> 78 <description>Process segfaulted.</description> 79 <group>service_availability,</group> 80 </rule> 81</group> <!-- SYSLOG,ERRORS --> 82 83 84 85<!-- NFS messages --> 86<group name="syslog,nfs,"> 87 <!-- XXX All These NFS rules need to be fixed. --> 88 <rule id="2100" level="0" noalert="1"> 89 <program_name_pcre2>^automount|^mount</program_name_pcre2> 90 <description>NFS rules grouped.</description> 91 </rule> 92 93 <rule id="2101" level="4"> 94 <if_sid>2100</if_sid> 95 <pcre2>nfs: mount failure</pcre2> 96 <description>Unable to mount the NFS share.</description> 97 </rule> 98 99 <rule id="2102" level="4"> 100 <if_sid>2100</if_sid> 101 <pcre2>reason given by server: Permission denied</pcre2> 102 <description>Unable to mount the NFS directory.</description> 103 </rule> 104 105 <rule id="2103" level="4"> 106 <pcre2>^rpc\.mountd: refused mount request from</pcre2> 107 <description>Unable to mount the NFS directory.</description> 108 </rule> 109 110 <rule id="2104" level="2"> 111 <if_sid>2100</if_sid> 112 <pcre2>lookup for \S+ failed</pcre2> 113 <description>Automount informative message</description> 114 </rule> 115</group> <!-- SYSLOG,NFS --> 116 117 118 119<!-- xinetd messages --> 120<group name="syslog,xinetd,"> 121 <rule id="2301" level="10"> 122 <pcre2>^Deactivating service </pcre2> 123 <description>Excessive number connections to a service.</description> 124 </rule> 125</group> <!-- SYSLOG,XINETD --> 126 127 128 129<!-- Access control messages --> 130<group name="syslog,access_control,"> 131 <rule id="2501" level="5"> 132 <pcre2>FAILED LOGIN |authentication failure|</pcre2> 133 <pcre2>Authentication failed for|invalid password for|</pcre2> 134 <pcre2>LOGIN FAILURE|auth failure: |authentication error|</pcre2> 135 <pcre2>authinternal failed|Failed to authorize|</pcre2> 136 <pcre2>Wrong password given for|login failed|Auth: Login incorrect|</pcre2> 137 <pcre2>Failed to authenticate user</pcre2> 138 <group>authentication_failed,</group> 139 <description>User authentication failure.</description> 140 </rule> 141 142 <rule id="2502" level="10"> 143 <pcre2>more authentication failures;|REPEATED login failures</pcre2> 144 <description>User missed the password more than one time</description> 145 <group>authentication_failed,</group> 146 </rule> 147 148 <rule id="2503" level="5"> 149 <pcre2>^refused connect from|</pcre2> 150 <pcre2>^libwrap refused connection|</pcre2> 151 <pcre2>Connection from \S+ denied</pcre2> 152 <description>Connection blocked by Tcp Wrappers.</description> 153 <group>access_denied,</group> 154 </rule> 155 156 <rule id="2504" level="9"> 157 <pcre2>ILLEGAL ROOT LOGIN|ROOT LOGIN REFUSED</pcre2> 158 <description>Illegal root login. </description> 159 <group>invalid_login,</group> 160 </rule> 161 162 <rule id="2505" level="3"> 163 <pcre2>^ROOT LOGIN on</pcre2> 164 <description>Physical root login.</description> 165 </rule> 166 167 <rule id="2506" level="3"> 168 <pcre2>^Authentication passed</pcre2> 169 <description>Pop3 Authentication passed.</description> 170 </rule> 171 172 <rule id="2507" level="0"> 173 <decoded_as>openldap</decoded_as> 174 <description>OpenLDAP group.</description> 175 </rule> 176 177 <rule id="2508" level="3"> 178 <if_sid>2507</if_sid> 179 <pcre2>ACCEPT from</pcre2> 180 <description>OpenLDAP connection open.</description> 181 </rule> 182 183 <rule id="2509" level="5" timeframe="10" frequency="0"> 184 <if_sid>2507</if_sid> 185 <if_matched_sid>2508</if_matched_sid> 186 <same_id /> 187 <pcre2>RESULT tag=97 err=49</pcre2> 188 <description>OpenLDAP authentication failed.</description> 189 </rule> 190 191</group> <!-- SYSLOG,ACESSCONTROL --> 192 193 194 195<!-- rshd --> 196<group name="syslog,access_control,"> 197 <rule id="2550" level="0" noalert="1"> 198 <decoded_as>rshd</decoded_as> 199 <description>rshd messages grouped.</description> 200 </rule> 201 202 <rule id="2551" level="10"> 203 <if_sid>2550</if_sid> 204 <pcre2>^Connection from \S+ on illegal port$</pcre2> 205 <description>Connection to rshd from unprivileged port. Possible network scan.</description> 206 <group>connection_attempt,</group> 207 </rule> 208</group> 209 210 211 212<!-- Mail/Procmail messages --> 213<group name="syslog,mail,"> 214 <rule id="2701" level="0"> 215 <program_name_pcre2>^procmail</program_name_pcre2> 216 <description>Ignoring procmail messages.</description> 217 </rule> 218</group> <!-- SYSLOG,SENDMAIL --> 219 220 221 222<!-- Smartd messages --> 223<group name="syslog,smartd,"> 224 <rule id="2800" level="0" noalert="1"> 225 <program_name_pcre2>^smart</program_name_pcre2> 226 <description>Pre-match rule for smartd.</description> 227 </rule> 228 229 <rule id="2801" level="0"> 230 <if_sid>2800</if_sid> 231 <pcre2>No configuration file /etc/smartd\.conf found</pcre2> 232 <description>Smartd Started but not configured</description> 233 </rule> 234 235 <rule id="2802" level="0"> 236 <if_sid>2800</if_sid> 237 <pcre2>Unable to register ATA device</pcre2> 238 <description>Smartd configuration problem</description> 239 </rule> 240 241 <rule id="2803" level="0"> 242 <if_sid>2800</if_sid> 243 <pcre2>No such device or address</pcre2> 244 <description>Device configured but not available to Smartd</description> 245 </rule> 246</group> <!-- SYSLOG,SMARTD --> 247 248 249 250<!-- Linux Kernel messages --> 251<group name="syslog,linuxkernel,"> 252 <rule id="5100" level="0" noalert="1"> 253 <program_name_pcre2>^kernel</program_name_pcre2> 254 <description>Pre-match rule for kernel messages</description> 255 </rule> 256 257 <rule id="5101" level="0"> 258 <if_sid>5100</if_sid> 259 <pcre2>PCI: if you experience problems, try using option</pcre2> 260 <description>Informative message from the kernel.</description> 261 </rule> 262 263 <rule id="5102" level="0"> 264 <if_sid>5100</if_sid> 265 <pcre2>modprobe: Can't locate module sound</pcre2> 266 <description>Informative message from the kernel</description> 267 </rule> 268 269 <rule id="5103" level="9"> 270 <if_sid>5100</if_sid> 271 <pcre2>Oversized packet received from</pcre2> 272 <description>Error message from the kernel. </description> 273 <description>Ping of death attack.</description> 274 </rule> 275 276 <rule id="5104" level="8"> 277 <if_sid>5100</if_sid> 278 <pcre2>Promiscuous mode enabled|</pcre2> 279 <pcre2>device \S+ entered promiscuous mode</pcre2> 280 <description>Interface entered in promiscuous(sniffing) mode.</description> 281 <group>promisc,</group> 282 </rule> 283 284 <rule id="5105" level="0"> 285 <if_sid>5100</if_sid> 286 <pcre2>end_request: I/O error, dev fd0, sector 0|</pcre2> 287 <pcre2>Buffer I/O error on device fd0, logical block 0</pcre2> 288 <description>Invalid request to /dev/fd0 (bug on the kernel).</description> 289 </rule> 290 291 <rule id="5106" level="0"> 292 <if_sid>5100</if_sid> 293 <pcre2>svc: unknown program 100227 \(me 100003\)</pcre2> 294 <description>NFS incompatibility between Linux and Solaris.</description> 295 </rule> 296 297 <rule id="5107" level="0"> 298 <if_sid>5100</if_sid> 299 <pcre2>svc: bad direction </pcre2> 300 <description>NFS incompatibility between Linux and Solaris.</description> 301 </rule> 302 303 <rule id="5108" level="12"> 304 <if_sid>5100</if_sid> 305 <pcre2>Out of Memory: </pcre2> 306 <description>System running out of memory. </description> 307 <description>Availability of the system is in risk.</description> 308 <group>service_availability,</group> 309 </rule> 310 311 <rule id="5109" level="4"> 312 <if_sid>5100</if_sid> 313 <pcre2>I/O error: dev |end_request: I/O error, dev</pcre2> 314 <description>Kernel Input/Output error</description> 315 </rule> 316 317 <rule id="5110" level="4"> 318 <if_sid>5100</if_sid> 319 <pcre2>Forged DCC command from</pcre2> 320 <description>IRC misconfiguration</description> 321 </rule> 322 323 <rule id="5111" level="0"> 324 <if_sid>5100</if_sid> 325 <pcre2>ipw2200: Firmware error detected\.| ACPI Error</pcre2> 326 <description>Kernel device error.</description> 327 </rule> 328 329 <rule id="5112" level="0"> 330 <if_sid>5100</if_sid> 331 <pcre2>usbhid: probe of</pcre2> 332 <description>Kernel usbhid probe error (ignored).</description> 333 </rule> 334 335 <rule id="5113" level="7"> 336 <if_sid>5100</if_sid> 337 <pcre2>Kernel log daemon terminating</pcre2> 338 <group>system_shutdown,</group> 339 <description>System is shutting down.</description> 340 </rule> 341 342 <rule id="5130" level="7"> 343 <if_sid>5100</if_sid> 344 <pcre2>ADSL line is down</pcre2> 345 <description>Monitor ADSL line is down.</description> 346 </rule> 347 348 <rule id="5131" level="3"> 349 <if_sid>5100</if_sid> 350 <pcre2>ADSL line is up</pcre2> 351 <description>Monitor ADSL line is up.</description> 352 </rule> 353 354 <rule id="5200" level="0"> 355 <pcre2>^hpiod: unable to ParDevice</pcre2> 356 <description>Ignoring hpiod for producing useless logs.</description> 357 </rule> 358</group> <!-- SYSLOG,LINUXKERNEL --> 359 360 361 362<!-- Cron messages --> 363<group name="syslog,cron,"> 364 <rule id="2830" level="0"> 365 <program_name_pcre2>crond|crontab</program_name_pcre2> 366 <description>Crontab rule group.</description> 367 </rule> 368 369 <rule id="2831" level="0"> 370 <if_sid>2830</if_sid> 371 <pcre2>^unable to exec</pcre2> 372 <description>Wrong crond configuration</description> 373 </rule> 374 375 <rule id="2834" level="5"> 376 <if_sid>2830</if_sid> 377 <pcre2>BEGIN EDIT</pcre2> 378 <description>Crontab opened for editing.</description> 379 </rule> 380 381 <rule id="2832" level="5"> 382 <if_sid>2830</if_sid> 383 <pcre2>REPLACE</pcre2> 384 <description>Crontab entry changed.</description> 385 </rule> 386 387 <rule id="2833" level="8"> 388 <if_sid>2832</if_sid> 389 <pcre2>^\(root\)</pcre2> 390 <description>Root's crontab entry changed.</description> 391 </rule> 392 393</group> <!-- SYSLOG,CRON --> 394 395 396 397<!-- Su messages --> 398<group name="syslog, su,"> 399 <rule id="5300" level="0" noalert="1"> 400 <decoded_as>su</decoded_as> 401 <description>Initial grouping for su messages.</description> 402 </rule> 403 404 <rule id="5301" level="5"> 405 <if_sid>5300</if_sid> 406 <pcre2>authentication failure; |failed|BAD su|^-</pcre2> 407 <description>User missed the password to change UID (user id).</description> 408 <group>authentication_failed,</group> 409 </rule> 410 411 <rule id="5302" level="9"> 412 <if_sid>5301</if_sid> 413 <user_pcre2>^root</user_pcre2> 414 <description>User missed the password to change UID to root.</description> 415 <group>authentication_failed,</group> 416 </rule> 417 418 <rule id="5303" level="3"> 419 <if_sid>5300</if_sid> 420 <pcre2>session opened for user root|^'su root'|</pcre2> 421 <pcre2>^\+ \S+ \S+[()*+,.:;\<=>?\[\]!"'#%&$|{}-]root$|^\S+ to root on|^SU \S+ \S+ \+ \S+ \S+-root$</pcre2> 422 <description>User successfully changed UID to root.</description> 423 <group>authentication_success,</group> 424 </rule> 425 426 <rule id="5304" level="3"> 427 <if_sid>5300</if_sid> 428 <pcre2>session opened for user|succeeded for|</pcre2> 429 <pcre2>^\+|^\S+ to |^SU \S+ \S+ \+ </pcre2> 430 <description>User successfully changed UID.</description> 431 <group>authentication_success,</group> 432 </rule> 433 434 <rule id="5305" level="4"> 435 <if_sid>5303, 5304</if_sid> 436 <if_fts></if_fts> 437 <options>alert_by_email</options> 438 <description>First time (su) is executed by user.</description> 439 </rule> 440 441 <rule id="5306" level="0"> 442 <if_sid>5300</if_sid> 443 <pcre2>unknown class</pcre2> 444 <info>OpenBSD uses login classes, and an inappropriate login class was used.</info> 445 <description>A user has attempted to su to an unknown class.</description> 446 </rule> 447 448</group> <!-- SYSLOG,SU --> 449 450 451 452<!-- Tripwire messages --> 453<group name="syslog,tripwire,"> 454 <rule id="7101" level="8"> 455 <pcre2>Integrity Check failed: File could not</pcre2> 456 <description>Problems with the tripwire checking</description> 457 </rule> 458</group> <!-- SYSLOG,TRIPWIRE --> 459 460 461 462<!-- Adduser messages --> 463<group name="syslog,adduser"> 464 <rule id="5901" level="8"> 465 <pcre2>^new group</pcre2> 466 <description>New group added to the system</description> 467 </rule> 468 469 <rule id="5902" level="8"> 470 <pcre2>^new user|^new account added</pcre2> 471 <description>New user added to the system</description> 472 </rule> 473 474 <rule id="5903" level="2"> 475 <pcre2>^delete user|^account deleted|^remove group</pcre2> 476 <description>Group (or user) deleted from the system</description> 477 </rule> 478 479 <rule id="5904" level="8"> 480 <pcre2>^changed user</pcre2> 481 <description>Information from the user was changed</description> 482 </rule> 483 484 <rule id="5905" level="0"> 485 <program_name_pcre2>useradd</program_name_pcre2> 486 <pcre2>failed adding user </pcre2> 487 <description>useradd failed.</description> 488 </rule> 489 490</group> <!-- SYSLOG,ADDUSER --> 491 492 493 494<!-- Sudo messages --> 495<group name="syslog,sudo"> 496 <rule id="5400" level="0" noalert="1"> 497 <decoded_as>sudo</decoded_as> 498 <description>Initial group for sudo messages</description> 499 </rule> 500 501 <rule id="5401" level="5"> 502 <if_sid>5400</if_sid> 503 <pcre2>incorrect password attempt</pcre2> 504 <description>Failed attempt to run sudo</description> 505 </rule> 506 507 <rule id="5402" level="3"> 508 <if_sid>5400</if_sid> 509 <pcre2> ; USER=root ; COMMAND=| ; USER=root ; TSID=\S+ ; COMMAND=</pcre2> 510 <description>Successful sudo to ROOT executed</description> 511 </rule> 512 513 <rule id="5403" level="4"> 514 <if_sid>5400</if_sid> 515 <options>alert_by_email</options> 516 <if_fts></if_fts> 517 <description>First time user executed sudo.</description> 518 </rule> 519 520 <rule id="5404" level="10"> 521 <if_sid>5401</if_sid> 522 <pcre2>3 incorrect password attempts</pcre2> 523 <description>Three failed attempts to run sudo</description> 524 </rule> 525 526 <rule id="5405" level="5"> 527 <if_sid>5400</if_sid> 528 <pcre2>user NOT in sudoers</pcre2> 529 <description>Unauthorized user attempted to use sudo.</description> 530 </rule> 531 532</group> <!-- SYSLOG, SUDO --> 533 534 535<!-- PPTP messages --> 536<group name="syslog,pptp"> 537 <rule id="9100" level="0" noalert="1"> 538 <program_name_pcre2>^pptpd</program_name_pcre2> 539 <description>PPTPD messages grouped</description> 540 </rule> 541 542 <rule id="9101" level="0"> 543 <if_sid>9100</if_sid> 544 <pcre2>^GRE: \S+ from \S+ failed: status = -1 </pcre2> 545 <description>PPTPD failed message (communication error)</description> 546 <info type="link">http://poptop.sourceforge.net/dox/gre-protocol-unavailable.phtml</info> 547 </rule> 548 549 <rule id="9102" level="0"> 550 <if_sid>9100</if_sid> 551 <pcre2>^tcflush failed: Bad file descriptor</pcre2> 552 <description>PPTPD communication error</description> 553 </rule> 554</group> 555 556 557 558<!-- Syslog FTS --> 559<group name="syslog,fts,"> 560 <rule id="10100" level="4"> 561 <if_group>authentication_success</if_group> 562 <options>alert_by_email</options> 563 <if_fts></if_fts> 564 <group>authentication_success</group> 565 <description>First time user logged in.</description> 566 </rule> 567</group> 568 569 570<group name="syslog,squid,"> 571 <rule id="9200" level="0" noalert="1"> 572 <program_name_pcre2>^squid</program_name_pcre2> 573 <description>Squid syslog messages grouped</description> 574 </rule> 575 576 <rule id="9201" level="0"> 577 <if_sid>9200</if_sid> 578 <pcre2>^ctx: enter level|^sslRead|^urlParse: Illegal |</pcre2> 579 <pcre2>^httpReadReply: Request not yet |^httpReadReply: Excess data</pcre2> 580 <description>Squid debug message</description> 581 </rule> 582</group> 583 584 585<group name="syslog,dpkg,"> 586 <rule id="2900" level="0"> 587 <decoded_as>windows-date-format</decoded_as> 588 <pcre2>^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} startup |</pcre2> 589 <pcre2>^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} status |</pcre2> 590 <pcre2>^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} remove |</pcre2> 591 <pcre2>^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} configure |</pcre2> 592 <pcre2>^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} install |</pcre2> 593 <pcre2>^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} purge |</pcre2> 594 <pcre2>^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} trigproc |</pcre2> 595 <pcre2>^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} conffile |</pcre2> 596 <pcre2>^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} upgrade </pcre2> 597 <description>Dpkg (Debian Package) log.</description> 598 </rule> 599 600 <rule id="2901" level="3"> 601 <if_sid>2900</if_sid> 602 <pcre2>^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} install</pcre2> 603 <description>New dpkg (Debian Package) requested to install.</description> 604 </rule> 605 606 <rule id="2902" level="7"> 607 <if_sid>2900</if_sid> 608 <pcre2>^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} status installed</pcre2> 609 <description>New dpkg (Debian Package) installed.</description> 610 <group>config_changed,</group> 611 </rule> 612 613 <rule id="2903" level="7"> 614 <if_sid>2900</if_sid> 615 <pcre2>^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} remove|</pcre2> 616 <pcre2>^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} purge</pcre2> 617 <description>Dpkg (Debian Package) removed.</description> 618 <group>config_changed,</group> 619 </rule> 620</group> 621 622 623<group name="syslog,yum,"> 624 <rule id="2930" level="0"> 625 <program_name_pcre2>^yum</program_name_pcre2> 626 <description>Yum logs.</description> 627 </rule> 628 629 <rule id="2931" level="0"> 630 <hostname_pcre2>yum\.log$</hostname_pcre2> 631 <pcre2>^Installed|^Updated|^Erased</pcre2> 632 <description>Yum logs.</description> 633 </rule> 634 635 <rule id="2932" level="7"> 636 <if_sid>2930,2931</if_sid> 637 <pcre2>^Installed</pcre2> 638 <group>config_changed,</group> 639 <description>New Yum package installed.</description> 640 </rule> 641 642 <rule id="2933" level="7"> 643 <if_sid>2930,2931</if_sid> 644 <pcre2>^Updated</pcre2> 645 <group>config_changed,</group> 646 <description>Yum package updated.</description> 647 </rule> 648 649 <rule id="2934" level="7"> 650 <if_sid>2930,2931</if_sid> 651 <pcre2>^Erased</pcre2> 652 <group>config_changed,</group> 653 <description>Yum package deleted.</description> 654 </rule> 655 656 <!-- SCSI CONTROLLER --> 657 <rule id="2935" level="0" noalert="1"> 658 <if_sid>5100</if_sid> 659 <id_pcre2>mptscsih</id_pcre2> 660 <description>Grouping for the mptscrih rules.</description> 661 </rule> 662 663 <rule id="2936" level="0" noalert="1"> 664 <if_sid>5100</if_sid> 665 <id_pcre2>mptbase</id_pcre2> 666 <description>Grouping for the mptbase rules.</description> 667 </rule> 668 669 <rule id="2937" level="12"> 670 <if_sid>2935</if_sid> 671 <status_pcre2>FAILED</status_pcre2> 672 <description>Possible Disk failure. SCSI controller error.</description> 673 </rule> 674 675 <rule id="2938" level="12"> 676 <if_sid>2936</if_sid> 677 <action>failed</action> 678 <description>SCSI RAID ARRAY ERROR, drive failed.</description> 679 </rule> 680 681 <rule id="2939" level="12"> 682 <if_sid>2936</if_sid> 683 <action>degraded</action> 684 <description>SCSI RAID is now in a degraded status.</description> 685 </rule> 686 687 <rule id="2940" level="0"> 688 <program_name_pcre2>^NetworkManager</program_name_pcre2> 689 <description>NetworkManager grouping.</description> 690 </rule> 691 692 <rule id="2941" level="3"> 693 <if_sid>2940</if_sid> 694 <pcre2> No chain/target/match by that name\.$</pcre2> 695 <description>Incorrect chain/target/match.</description> 696 </rule> 697 698 <rule id="2942" level="0"> 699 <if_sid>1002</if_sid> 700 <pcre2>g_slice_set_config: assertion `sys_page_size == 0' failed</pcre2> 701 <description>Uninteresting gnome error.</description> 702 </rule> 703 704 <rule id="2943" level="0"> 705 <pcre2>^nouveau </pcre2> 706 <description>nouveau driver grouping</description> 707 </rule> 708 709 <rule id="2944" level="1"> 710 <if_sid>2943</if_sid> 711 <pcre2> DATA_ERROR BEGIN_END_ACTIVE$| DATA_ERROR$</pcre2> 712 <description>Uninteresting nouveau error.</description> 713 </rule> 714 715 <rule id="2945" level="4"> 716 <program_name_pcre2>^rsyslogd</program_name_pcre2> 717 <pcre2>^imuxsock begins to drop messages </pcre2> 718 <info>https://isc.sans.edu/diary/Are+you+losing+system+logging+information+%28and+don%27t+know+it%29%3F/15106</info> 719 <description>rsyslog may be dropping messages due to rate-limiting.</description> 720 </rule> 721 722</group> 723 724 725<!-- EOF --> 726