[ossec-list] Re: exclude service-users

Jesus Linares many thanks, it working great for rest of community who want the same rule with more users user USER_NAME1 | user USER_NAME2 | user USER_NAME3 With cpanel_users i resolve with next code user www-data | __cpanel__service__auth__ftpd__ Regards. Surdu Maxim joi, 18 februarie

[ossec-list] Re: exclude service-users

Regarding cpanel users... I don't know cpanel, but it seems is part of chkservd service (info ). Anyway, you can ignore them using rules. Regards. Jesus Linares On Thursday, February 18, 2016 at

[ossec-list] Re: exclude service-users

Hi Maxim, First, you have to activate policy_rules: ossec.conf: policy_rules.xml I guess the problem with your rule is that the decoder is not extracting the field *user*. For example, if I switch between user root to homer: "root@LinMV:~# su homer" it is generated this log: "Feb 18 11:23:17