Yes, the srcip is not decoded there. Try to use:
matchSource Network Address: (tab here)24.229.66.131/match
Just make sure you add a tab or whatever is in the original format.
As Dan said, it is best to try with ossec-logtest...
Thanks,
--
Daniel B. Cid
On Tue, Feb 7, 2012 at 9:39 AM, Peter M Abraham
peter.abra...@dynamicnet.net wrote:
Hi Dan:
Thank you for your time and input.
The ignore is not working; I get paged on all RDP logins.
Here is the Windows event log.
** Alert 1328621405.259824: mail - windows,authentication_success,
2012 Feb 07 08:30:05 (MACHINE NAME) MACHINE-IP-WinEvtLog
Rule: 18 (level 11) - 'Windows RDP Login.'
User: USER ID GOES HEREs
WinEvtLog: Security: AUDIT_SUCCESS(528): Security: USER ID GOES
HERE: DYNAMIC-A3054BC: DYNAMIC-A3054BC: Successful Logon:
User Name: USER ID GOES HERE Domain: DOMAIN
HERE Logon ID: (PRIVATE) Logon Type: 10
Logon Process: Usernnn Authentication Package:
Negotiate Workstation Name: DOMAIN HERE Logon GUID:
- Caller User Name: DOMAIN HERE Caller Domain:
WORKGROUP Caller Logon ID: (PRIVATE) Caller Process
ID: 432 Transited Services: - Source Network Address:
24.229.66.131 Source Port: 50104
rule id=180001 level=0
if_sid18/if_sid
srcip24.229.66.131/srcip
descriptionValid system admin IP - igore/description
/rule
I'm not sure if it is the srcip is not working or if the granular
email rule is only going on the parent.
How can I get it narrowed down?
Thank you.