[ossec-list] Re: OSSEC exclude IP and prevent alert trigger
I did end up creating a specific crontab user for remote ssh connections, and here's the way I did exclude it from alerts if anyone else is interested. 5501 USERNAME no_email_alert Ignore rule 5501 for scheduled crontab user Kind regards, Fredrik Den måndag 29 maj 2017 kl. 09:52:41 UTC+2 skrev Fredrik Hilmersson: > > Hello, let me try make myself understod. So i've got the part to > ignore/exclude an specific IP to work, thats no problem. However, here's my > issue/problem I'd like to solve. > > > 7 > cronjobIP > Ignorning cronjobIP > > > 1. Ignore specific IP which run regular cronjob's and utilizes SSH (done). > 2. The SSH rule triggers rule 5501, session opened for user X (in this > case the IP which I want to ignore). > 3. The SSH rule triggers rule 5502, session closed for user X (in this > case the IP which I want to ignore). > > So, my question - beside ignoring the specific IP for rule 5715 (SSHD > authentication success), is there a way prevent in step 1 to trigger step 2 > and 3? > > One option would obviously be to ignore the user and create a specific > user for the certain cronjob. > > Kind regards, > Fredrik > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] OSSEC - windows event
Dear All, I would like to be able to retrieve logs from windows machine to my OSSIM. I have done the following changes in ossec.conf on my client: OAlerts eventchannel Microsoft-Windows-WMI-Activity/Operational eventchannel Started the client again. But nothing goes to the server. Can you please let me know where should I do other configs if required to make it work. Thanks, IR -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: OSSEC - windows event
Hi All, I am also facing the same problem.I am not getting alert of creation/deletion of file from windows agent to my manager(linux). Agent show connected and active, I only get alert from agent(win) is agent start/restart/change in ossec.conf(agent). To monitor D:\ drive, I have done the following changes in ossec.conf on manager: C:.,D:. But i don't get any alerts on my manager. Can you please help me out. Thanks -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.