Re: [ossec-list] Can't filter rule by IP

On Feb 18, 2016 5:44 PM, "Jane Doe" wrote: > > Hey guys! > > I'm trying to filter rule 18154 by not sending email alerts for certain hosts. I've tried several ways to filter this in the local_rules.xml file. > > 1) > > 6 > > > > 18103 > ip_address//I've also

[ossec-list] Can't filter rule by IP

Hey guys! I'm trying to filter rule 18154 by not sending email alerts for certain hosts. I've tried several ways to filter this in the local_rules.xml file. *1) * 6 18103 *ip_address*//I've also replaced this with srcip *ip_address*//I've also replaced this with

[ossec-list] Re: IISv7.5 decoder attempt

Hi again :) Looking at your previous example I put this together while looking in the book where rule hierarchies are discussed. As an exemple if I wanted to make an exception to webrule 31108 and say to ignore 2xx and 3xx code unless a specific URL is requested (GET). I placed the below in

Re: [ossec-list] Re: Hybrid or dual install?

Yes, I use the hybrid mode quite a bit too. It basically automates the process of installing the local + agent without having to do both separately. thanks, On Thu, Feb 18, 2016 at 2:10 PM, Kat wrote: > I use Hybrid modes for 1000s of agents and mixed managers. It allows

[ossec-list] Re: Hybrid or dual install?

I use Hybrid modes for 1000s of agents and mixed managers. It allows me to distribute managers, and still have centralized collection. If I lose the WAN, the hybrids continue to process alerts, and once the WANs are restored the data resumes to the central host. They have proven to be

[ossec-list] Hybrid or dual install?

Looking at the hybrid install type; it installs two versions of ossec, that have been reduced. One server role and one agent role. Is the hybrid as reliable? I don't see nearly as much documentation on it. Is it a safer bet to go with dual install? -- --- You received this message because

[ossec-list] Re: exclude service-users

Regarding cpanel users... I don't know cpanel, but it seems is part of chkservd service (info ). Anyway, you can ignore them using rules. Regards. Jesus Linares On Thursday, February 18, 2016 at

[ossec-list] Re: exclude service-users

Hi Maxim, First, you have to activate policy_rules: ossec.conf: policy_rules.xml I guess the problem with your rule is that the decoder is not extracting the field *user*. For example, if I switch between user root to homer: "root@LinMV:~# su homer" it is generated this log: "Feb 18 11:23:17

[ossec-list] Re: the length of time the user logged in

Hi Maxim, what is the OS of your agents?. What kind of login you want to alert?. ssh, ftp, normal login? Regards. On Thursday, February 18, 2016 at 10:14:32 AM UTC+1, Maxim Surdu wrote: > > Hi dear community, > > i install and configure about 10 agents, and of course i have a lot of > users,

[ossec-list] exclude service-users

Hi dear community, i install and configure about 10 agents, and of course i have a lot of users,a part of this users are service-users in policy-rules.xml i have next rules authentication_success 4 pm - 7 am Successful login during non-business hours. login_time,