I did end up doing this, user and hostname. However this isn't the 
'optimal' solution as I do prefer to get alerts from the user + hostname at 
other times then ignoring it every half an hour. I will look more into the 
element time later on, and see if there's a way to achieve what I were 
trying to do.

Thanks for the response and help though!

Kind regards

Den tisdag 4 juli 2017 kl. 20:00:53 UTC+2 skrev Jesus Linares:
>
> Hi Fredrik,
>
> do you want to ignore the rule 5501 if it is fired by your script?. is it 
> not enough with the hostname and the user?.
>
> Regards.
>
> On Monday, July 3, 2017 at 12:10:18 PM UTC+2, Fredrik Hilmersson wrote:
>>
>> Hello,
>>
>> Lets say I have a script which runs once every half an hour. With a 
>> latency difference in about 10-20 seconds.
>> Would it be possible to match the following:
>>
>> 1. Time
>> 2. Hostname
>> 3. Username
>>
>> The reason I prefer more than a single match, i.e only time is to not by 
>> mistake miss an actual event.
>>
>> <rule id="100203" level="0" timeframe="20">
>>
>>  <if_sid>5501</if_sid>
>>  <time>**:30</time>
>>
>>  <hostname>agent-hostname</hostname>
>>  <user>ssh-user</user>
>>
>>  <options>no_email_alert</options>
>>
>>  <description>Ignore rule 5501 for host </description>
>>
>> </rule>
>>
>> Kind regards,
>> Fredrik
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to