Wazuh会产生很多不必要的报警信息,通过Wazuh-manager端的/var/ossec/etc/rules/local_rules.xml可以增加一些规则来改变默认规则的行为,从而过滤不希望看到的告警。
<!-- Local rules -->
<!-- Modify it at your will. -->
<!-- Copyright (C) 2015-2019, Wazuh Inc. -->
<!-- Example -->
<group name="local,syslog,sshd,">
<rule id="5715" level="3" overwrite="yes">
<if_sid>5700</if_sid>
<match>^Accepted|authenticated.$</match>
<user>!sourcegraph|phabricator|jenkins</user>
<description>sshd: authentication success. local_rules.xml</description>
<group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,</group>
</rule>
<rule id="5501" level="3" overwrite="yes">
<if_sid>5500</if_sid>
<match>session opened for user </match>
<user>!sourcegraph|phabricator|jenkins|ambari-qa</user>
<description>PAM: Login session opened. local_rules.xml</description>
<group>authentication_success,pci_dss_10.2.5,gpg13_7.8,gpg13_7.9,gdpr_IV_32.2,</group>
</rule>
<rule id="5502" level="3" overwrite="yes">
<if_sid>5500</if_sid>
<match>session closed for user </match>
<user>!sourcegraph|phabricator|jenkins|ambari-qa</user>
<description>PAM: Login session closed. local_rules.xml</description>
<group>pci_dss_10.2.5,gpg13_7.8,gpg13_7.9,gdpr_IV_32.2,</group>
</rule>
</group>