Hey guys! I'm trying to filter rule 18154 by not sending email alerts for certain hosts. I've tried several ways to filter this in the local_rules.xml file.
*1) * <var name="MS_FREQ">6</var> <group name="windows,"> <rule id="18154" level="10" frequency="$MS_FREQ" timeframe="240"> <if_matched_sid>18103</if_matched_sid> <match>*ip_address*</match> //I've also replaced this with srcip <match>*ip_address*</match> //I've also replaced this with srcip <options>no_email_alerts</options> <description>Multiple Windows error events.</description> </rule> </group> *2)* I've created my own rule <var name="MS_FREQ">6</var> <group name="windows,"> <rule id="100000" level="0" frequency="$MS_FREQ" timeframe="240"> <if_matched_sid>18103</if_matched_sid> <match>*ip_address*</match> //I've also replaced this with srcip <match>*ip_address*</match> //I've also replaced this with srcip <description>Multiple Windows error events.</description> </rule> </group> *3) * <group name="windows,"> <rule id="100000" level="0"> <if_matched_sid>18154</if_matched_sid> <match>*ip_address*</match> //I've also replaced this with srcip <match>*ip_address*</match> //I've also replaced this with srcip <description>Multiple Windows error events.</description> </rule> </group> Does the group name matter? Do I need to decode srcip? I have the general idea on how to filter rules in general for all hosts, but I can't seem to get it to work for specific hosts. Thanks! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.