Unfortunately the rule still doesn't work.
Also changed to:
no_email_alert
syscheck
systemd-logind
Failed to remove runtime directory /run/user/0: Device or
resource busy
ignore this message
and still getting the mails
четверг, 1 марта 2018 г., 11:11:20 UTC+1
Bruce, thank you very much for the information. Will test with new rule
number.
четверг, 1 марта 2018 г., 14:37:04 UTC+1 пользователь Bruce Westbrook
написал:
>
> Dmitriy, custom rules can only be numbered between 100,000 and 119,999.
> Change the rule number you used (400,001) to between the
Dmitriy, custom rules can only be numbered between 100,000 and 119,999.
Change the rule number you used (400,001) to between the allowed range.
You can then use the *ossec-**logtest* binary to test your config before
deploying it. Other than the rule number your syntax appears to be fine.
-