From 1a3d4a2051bcd0f1379ccbb05145f6a4d519f7d2 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Fri, 3 Nov 2023 09:14:26 -0400
Subject: [PATCH] ignore malformed open canary log lines

---
 salt/common/tools/sbin/so-log-check | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/common/tools/sbin/so-log-check b/salt/common/tools/sbin/so-log-check
index 170ef9506..d3aff6c14 100755
--- a/salt/common/tools/sbin/so-log-check
+++ b/salt/common/tools/sbin/so-log-check
@@ -140,6 +140,7 @@ if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|example"                      # false positive (example test data)
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|status 200"                   # false positive (request successful, contained error string in content)
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|app_layer.error"              # false positive (suricata 7) in stats.log e.g. app_layer.error.imap.parser | Total | 0
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Canary running"               # false positive (Open Canary logging out blank IP addresses)
 fi
 
 if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then