Hi,
try to use program_name instead match directive. Greetings El lun, 28-05-2007 a las 16:00 +0300, jepa kazol escribió: > Hi folks. I have a problem with rule overriding. I want to ignore the > rules for "CRON[11681]: (pam_unix) session closed for user root". I > edited the local_rules.xml like this: > > <rule id="100002" level="0" noalert="1"> > <if_sid>5501,5502</if_sid> > <match>CRON</match> > <description>CRON LOGINS</description> > </rule> > > > But I still get the alert. I tried with deleting the noalert directive > and no chance I always get the alert for CRON jobs.. What can I do > with it? > (I included local_rules.xml in the ossec.conf). > > I am using version 1.1. Is there any upgrade guide to version 1.2 -- --- Iñaki Rodríguez [EMAIL PROTECTED] Departamento de Sistemas Oficina central: (+34) 902 888 345 Asistencia técnica: (+34) 902 888 408 ACK STORM, S.L. http://www.ackstorm.es
