Derrick Egersdörfer
WEB DEVELOPER
@codechap


Stop Ossec from blocking Piwik users.
14 March 2015

With a recent installation of Ossec and Piwik, I've discovered the two don't like each other as much as they use to. Ossec has a rule: 31533, that checks for an unusual amount of post requests within a given time frame. Piwik does do this and results in a false positive, locking users out after a few clicks.

The quick solution is to create a custom local rule to exclude Piwik.

Edit your {$dir}/ossec/rules/local_rules.xml and add:

<rule id="100002" level="0">
    <if_sid>31533</if_sid>
    <match>piwik</match>
    <description>Leave Piwik alone</description>
</rule>