Hi Fredrik, you want to do something like: "if Starting daily apt activities -> disable syscheck for that agent". I think there is no way to do it. The rule engine doesn't allow rules like "if event A (starting apt) and event B (syscheck) -> rule to ignore event".
You can create a rule to ignore syscheck events between a range of time. Do you know when the update will be executed?. Regards. On Thursday, June 8, 2017 at 10:05:12 AM UTC+2, Fredrik Hilmersson wrote: > > Hello, > > So i'm getting more and more comfortable with the configuration and server > - agent architecture. However, now i'd like to step it up and start create > my own custom rules and would appreciate some guidance and pointers. > > The rule i'd like to create is to avoid alerts during the apt-daily update > which triggers the integrity check and renders in plenty notifications. The > syslog outputs "Starting daily apt activites..." before the > apt-daily.service run its updates, so I thought one way would be to timeout > the integrity check rule for x seconds once the apt-daily appear in the > syslog. I don't know there might be an even more 'reliable' solution? > > Any pointers or ideas would be greatly appreciated! > > Kind regards, > Fredrik > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.