@Martin.Roende yes regex can be a pain sometimes! Would you mind sending us the log snippet containing the false positive, I will take a look and help you figure it out.
Thanks for the feedback also...We are working on some new things to make this easier, but in the short term, manually creating the policy is necessary and filters like this may be necessary to weed out certain events. We will fold the feedback into improving the policy or providing a preconfigured template.
Please delete previous entry with this: Even though I am logged in to ma.commvault.com I cannot edit my entry.
So far I have tried out different REGEX , here is the last one , without any luck to avoid “sosreport” alerts.
denied.*cvstorage_t(?!.*\bdbus\b.*)|denied.*cvbackup_t(?!.*\bdbus\b.*)| denied.*cvstorage_t(?!\bsosreport_t\b)
With 4 clusters and gluster file storage I only test out in one cluster until I have a solution.
My test works and give’s a correct alert.:
# touch /ws/glus/`hostname`-touch-trigger;ls -al /ws/glus
touch: cannot touch ‘/ws/glus/XXXXX-touch-trigger’: Permission denied
total 16
drwxr-xr-x. 5 root root 4096 Jan 27 12:52 .
drwxr-xr-x. 28 root root 4096 Jun 30 2020 ..
drw-r--r--. 2 root root 4096 Jan 27 12:52 .cvlt
drwxrwxr-x. 3 root root 4096 Sep 15 10:42 Folder_08.13.2020_10.45
Alert is : With HTML format in mail of caurse.
CommCell: comcell01
Type: Operation - Event Viewer Events
Detected Criteria: Event Viewer Events
Detected Time: Mon Feb 8 13:02:23 2021
• Event ID: 40861623
• Monitoring Criteria: (Event Code contains 35:4402) AND (Description contains Criteria matched for monitoring policy mHyperScale-22H Ransomware Protection Auditlog monitoring])
• Severity: Major
• Event Date: Mon Feb 8 13:04:25 2021
• Program: cvd
• Client: XXXXX
• Description: Criteria matched for monitoring policy HyperScale-22H Ransomware Protection Auditlog monitoring]. Description: stype=AVC msg=audit(1612785653.356:918378): avc: denied { write } for pid=19991 comm="touch" name="/" dev="fuse" ino=1 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cvstorage_t:s0 tclass=dir permissive=0]
Please delete previous entry with this: Even though I am logged in to ma.commvault.com I cannot edit my entry.
Fixed - there is a time limit on editing posts
Adding in the auditlog example, anonymized.
Updating (and closing) as this conversation was taken offline with @DMCVault .