Yes, the <srcip> is not decoded there. Try to use: <match>Source Network Address: (tab here)24.229.66.131</match>
Just make sure you add a tab or whatever is in the original format. As Dan said, it is best to try with ossec-logtest... Thanks, -- Daniel B. Cid On Tue, Feb 7, 2012 at 9:39 AM, Peter M Abraham <peter.abra...@dynamicnet.net> wrote: > Hi Dan: > > Thank you for your time and input. > > The ignore is not working; I get paged on all RDP logins. > > Here is the Windows event log. > > ** Alert 1328621405.259824: mail - windows,authentication_success, > 2012 Feb 07 08:30:05 (MACHINE NAME) MACHINE-IP->WinEvtLog > Rule: 180000 (level 11) -> 'Windows RDP Login.' > User: <USER ID GOES HERE>s > WinEvtLog: Security: AUDIT_SUCCESS(528): Security: <USER ID GOES > HERE>: DYNAMIC-A3054BC: DYNAMIC-A3054BC: Successful Logon: > User Name: <USER ID GOES HERE> Domain: <DOMAIN > HERE> Logon ID: (PRIVATE) Logon Type: 10 > Logon Process: Usernnn Authentication Package: > Negotiate Workstation Name: <DOMAIN HERE> Logon GUID: > - Caller User Name: <DOMAIN HERE> Caller Domain: > WORKGROUP Caller Logon ID: (PRIVATE) Caller Process > ID: 432 Transited Services: - Source Network Address: > 24.229.66.131 Source Port: 50104 > > > <rule id="180001" level="0"> > <if_sid>180000</if_sid> > <srcip>24.229.66.131</srcip> > <description>Valid system admin IP - igore</description> > </rule> > > I'm not sure if it is the <srcip> is not working or if the granular > email rule is only going on the parent. > > How can I get it narrowed down? > > Thank you.