securedrop-docs icon indicating copy to clipboard operation
securedrop-docs copied to clipboard
verified publisher icon freedomofpress

OSSEC alert when securedrop-admin install run is not as described

Open ChumOfChance opened this issue 1 month ago • 0 comments

The page for OSSEC Alerts describes the OSSEC alert message users can expect to see when a SecureDrop admin runs securedrop-admin install (running the Ansible playbook on the servers).

https://docs.securedrop.org/en/stable/admin/maintenance/ossec_alerts.html#securedrop-admin-commands

I do not see the described message Rule: 400001 fired (level 13) -> "Ansible playbook run on server (securedrop-admin install, backup, or restore)." in my OSSEC alerts when running securedrop-admin install. I do get many alerts, including some "Alert level 13" with references to Ansible such as:

Received From: mon->/var/log/syslog
Rule: 1003 fired (level 13) -> "Non standard syslog message (size too large)."
Portion of the log(s):

2025-10-15T23:43:45.847151+00:00 mon python3[146947]: ansible-apt_key Invoked with state=present data=-----BEGIN PGP PUBLIC KEY BLOCK-----
...

ChumOfChance avatar Nov 26 '25 21:11 ChumOfChance