Daniel, Works fine now. Many thanks.
(a small recompense - decided to buy the book!!) Regards, Walter Wilson Group Network and Security Manager ISD V.Ships (UK) Ltd DDI: +44 141 305 7771 Main: +44 141 243 2435 -----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Cid Sent: 08 May 2008 22:41 To: [email protected] Subject: [ossec-list] Re: local_rules not being activated Hi Walter, I think the issue is on your usage of the <match> tag. When you specify it more than once, the contents are going to be concatenated, so your final match will look like internally as it was: <match>Domain AdminsOther security enabled groups....</match> Which will probably not match. If you want more than one field, you can use a pipe ("|") as a separator, like: <match>string1|string2|strng3</match> Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On Tue, May 6, 2008 at 1:13 PM, Wilson, Walter <[EMAIL PROTECTED]> wrote: > > Hi, > > I'm trying to enable a Windows security group change alert e-mail but > only if, say, 'domain admins' is changed. > > I've reduced the standard rule (18114) alert level to 6 but added the > following to local-rules: > > <rule id="100103" level="10"> > <if_sid>18114</if_sid> > <match>Domain Admins</match> > <match>Other security enabled groups....</match> > <description>Raise alerts for Admin groups</description> > </rule> > </group> > > e-mail alert trigger is still set to 7+ > > I'm seeing alerts on rule 18114 for all groups OTHER than those I have > specified above. > > It looks as if the local_rule 100103 is not being triggered (it is being > loaded at startup). > > Am I doing this correctly? Any ideas why it's not being triggered? > > Regards, > > Walter Wilson > > ************************************************************************ ************************************ > This email is confidential and intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing or copying of this email is strictly prohibited. If you have received this email in error please contact the sender. > > We only print the emails we really need to > ________________________________________________________________________ This email has been scanned for all viruses by the MessageLabs Email Security System. ________________________________________________________________________ ************************************************************************************************************ This email is confidential and intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing or copying of this email is strictly prohibited. If you have received this email in error please contact the sender. We only print the emails we really need to
