Hi Dimitri,
I did reply to your first post. Take a look at: http://www.ossec.net/ossec-list/2006-September/msg00342.html Hope it helps, -- Daniel B. Cid dcid ( at ) ossec.net On 10/24/06, Dimitri Yioulos <[EMAIL PROTECTED]> wrote:
Hello to all. A few weeks ago I mentioned that I'd upgraded to O-H-0.9-2 (now at O-H-0.9-3). Since then, I've been getting the following alerts from my mail server: OSSEC HIDS Notification. 2006 Sep 27 15:32:22 Received From: (plymouth) 192.168.1.2->/var/log/messages Rule: 40101 fired (level 12) -> "System user sucessfully logged on the system." Portion of the log(s): su(pam_unix)[8027]: session opened for user nobody by (uid=0) --END OF NOTIFICATION Hope noone minds, but I didn't get a reply to my original post, and thought I'd ask again - How would I filter out that specific alert? I'd greatly appreciate your help. Thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
