For testing your rules chain concerning yours logs you can use ossec-logtest
For that, you execute this file by default in this path : /var/ossec/bin/ossec-logtest
And you copy/paste
in it the alerts you want to exclude.
Ossec will describe all its process for treating this alerts :
example :
**Phase 1: Completed pre-decoding.
full event: 'Aug 10 10:42:27 my_server kernel: [40156.042928] IPTables-INPUT-Dropped: IN=eth0 OUT= MAC=36:fa:a6:e9:c3:3f:08:00:27:c4:89:63'
hostname: 'my_server'
program_name: 'kernel'
log: '[40156.042928] IPTables-INPUT-Dropped: IN=eth0 OUT= MAC=36:fa:a6:e9:c3:3f:08:00:27:c4:89:63'
**Phase 2: Completed decoding.
decoder: 'iptables'
**Phase 3: Completed filtering (rules).
Rule id: '4101'
Level: '5'
Description: 'Firewall drop event.'
**Alert to be generated.
In the results, you will be able to see which rule is affected by yours logs and you will be able to modify this or these rules to have what you want.
Here a example for modifing yours rules