Your second rule is ignoring only alerts with level 2 and with your IP. I think you could use *if_sid*.
Why are you overwriting the rule 5501?. Regards. On Monday, June 19, 2017 at 12:00:29 PM UTC+2, Fredrik Hilmersson wrote: > > Hello, > > So I got the following custom rule on the ossec server: > > <rule id="5501" level="7" overwrite="yes"> > > <if_sid>5500</if_sid> > > <match>session opened for user </match> > > <description>Login session opened.</description> > > <group>authentication_success,</group> > > </rule> > > Then afterwards I use the local rule on the ossec server to avoid alert > spam from a specific IP: > > <rule id="110000" level="0"> > > <if_level>2</if_level> > > <srcip>MYIP</srcip> > > <description>Ignoring ip MYIP</description> > > </rule> > > I tried with <match></match> instead of srcip but without success, the > ossec agents still generate alerts to my ossec server when connecting from > MYIP. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.