Okay try this: Temporaly remove "<options>alert_by_email</options>" from rule 1002 on syslog_rules.xml. Now add "<options>alert_by_email</options>" in your custom rule. Restart OSSEC and generate the alert.
What im trying here is to stop OSSEC from sending 1002 rule email, i think that "alert_by_email" option force OSSEC to send an email alert and stop him to keep looking to reach 100007 rule. Just guessing. Btw, sorry for my english, as you would imagine, it is not my mother language. El viernes, 13 de noviembre de 2015, 11:20:47 (UTC-8), Daniel Bray escribió: > > On Fri, Nov 13, 2015 at 2:16 PM, dan (ddp) <ddp...@gmail.com <javascript:> > > wrote: > >> I was hoping it would help with the production use, but since it was >> working for me I guess that doesn't matter. I'm pretty much stumped at >> the moment. >> > > I'm running this on CentOS 6 > with ossec-hids-server-2.8.2-49.el6.art.x86_64 (Atomic) > I'm curious if it's an issue with the version I'm using. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.