Hello, So I got the following custom rule on the ossec server:
<rule id="5501" level="7" overwrite="yes"> <if_sid>5500</if_sid> <match>session opened for user </match> <description>Login session opened.</description> <group>authentication_success,</group> </rule> Then afterwards I use the local rule on the ossec server to avoid alert spam from a specific IP: <rule id="110000" level="0"> <if_level>2</if_level> <srcip>MYIP</srcip> <description>Ignoring ip MYIP</description> </rule> I tried with <match></match> instead of srcip but without success, the ossec agents still generate alerts to my ossec server when connecting from MYIP. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.