Ok, but what if you are trying to alert on user lock outs in AD, but only want to see the service accounts being locked out. How would you go about ignoring all the other users in the company and only match the service accounts? Would you have to put each service account in the rule?
On Jul 23, 1:44 pm, Daniel Cid <[email protected]> wrote: > Hi Rafael, > > If you don't want an alert if the log matches a string, just set the > severity to 0. For example: > > <rule id="100456" level="0"> > <if_sid>xyz</if_sid> > <match>testing this rule</match> > </rule> > > It accomplishes the same thing as the negation. > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On Fri, Jul 10, 2009 at 3:42 PM, Rafael Gomes<[email protected]> wrote: > > > Hi, > > > I wanna modify a rule to don't get a alert that match with testing this > > rule (for exemple) > > > I should put this in the rule: > > > <match>!testing this rule</match> > > > Correct? > > > Thanks! > > -- > > Rafael Brito Gomes > > Projeto UFBA > > LPIC-1 > > CPM Braxis > > Tel : +55 71 3283 6102 > >http://www.cpmbraxis.com
