On Mon, Jul 3, 2017 at 6:10 AM, Fredrik Hilmersson <f.hilmers...@worldclearing.org> wrote: > Hello, > > Lets say I have a script which runs once every half an hour. With a latency > difference in about 10-20 seconds. > Would it be possible to match the following: > > 1. Time > 2. Hostname > 3. Username > > The reason I prefer more than a single match, i.e only time is to not by > mistake miss an actual event. > > <rule id="100203" level="0" timeframe="20"> > > <if_sid>5501</if_sid> > <time>**:30</time> > > <hostname>agent-hostname</hostname> > <user>ssh-user</user> > > <options>no_email_alert</options> > > <description>Ignore rule 5501 for host </description> > > </rule> >
Where do you plan on getting the time from? The timestamp in the logs are stripped off and not evaluated. > > Kind regards, > Fredrik > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
