Hi Aaron, Peter's suggestion is pretty good, but you don't need to overwrite the rule for it. Just adding the following rule to local_rules.xml should solve your problem.
<rule id="100100" level="0"> <if_sid>18107</if_sid> <match>Logon Type: 3</match> <description>Windows Logon type 3 ignored.</description> </rule> Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Nov 27, 2007 6:07 PM, Peter M. Abraham <[EMAIL PROTECTED]> wrote: > > Greetings Aaron: > > Yes, just copy the rule elements to /var/ossec/rules/local_rules.xml > and use the overwrite="yes" feature to overwrite the rule. > > Or if the rule would be a subset, then copy the main rule which > triggers alerts to local_rules.xml, set the level low enough or email > to ignore, and then create separate rules for what you need > notifications on. > > The Window login rules are in /var/ossec/rules/msauth_rules.xml > > Based on the information you provided, rule 18107 was triggered. That > is in the msauth_rules.xml file as > > <rule id="18107" level="3"> > <if_sid>18104</if_sid> > <id>^528|^540|^672|^673</id> > <description>Windows Logon Success.</description> > <group>authentication_success,</group> > </rule> > > Daniel might be able to answer if you could do the equivalent of an if > then else (i.e. if <match>Logon Type: 3</match> then ignore, else > report), but the above may be a starting point for you. > > Thank you. >
