Hi, As a part of our monitorization system we have a monitorization server that is accessing the servers using xxxx user.Every minute this users are entering the servers and checking the system healh. Until here everything ok. As a part of cleaning the alerts Im receiving from ossec I added the following parameters to local_rules.xml, which ignores user xxxx and ip yyyy.
--- Ignore user xxxx -- <group name="local"> <rule id="100105" level="0"> <if_level>3</if_level> <user>xxxx</user> <description>Ignoring user xxxx</description> </rule> <rule id="100106" level="0"> <if_level>3</if_level> <match>xxxx</match> <description>Ignoring user xxxx</description> </rule> </group> -- Ignore ip yyyy -- <group name="local"> <rule id="100107" level="0"> <if_level>3</if_level> <srcip>yyyy</srcip> <description>yyyy</description> </rule> <rule id="100108" level="0"> <if_level>3</if_level> <match>yyyy</match> <description>yyyy</description> </rule> </group> That working just fine. Now the question is. How can I ignore alerts IF the xxxx user is accessing from yyyy host ONLY! In other words if someone from different ip users xxxx user to enter the servers, I want to get alerts. Hope it was informative enough. Thanks Özgür Özdemircili http://www.acikkod.org Code so clean you could eat off it
