Hi, In the meantime I have a lot of "ignore-rules" to ignore all the "noise" (think windows servers) with level="0" and <options>no_log</ options>. OSSEC itself has a lot of similar rules for grouping rules i.e. rule 31100 for all apache access_log lines. The Problem is, all those level 0 alerts show up on the wui stats page and trash the stats, because in the "Aggregate values by severity" table 90% of alerts are level 0 alerts. Statistically a rise in some alerts more severe would not be that relevant. They show up in /var/ ossec/stats too, but I guess that is were wui gets its stats. So is there an option to completely ignore those alerts, specifically stats-wise ?
thanks! matthias
