So to solve your problem, Rafael, you'd have to make two new rules.
Take the first rule Oscar shows above, but set the alert level to 0:
<rule id="100001" level="0">
<if_sid>18140</if_sid>
<match>C:\Program Files\VMware\VMware Tools\VMwareService.exe</
match>
<description>VMwareService did something</description>
<group>time_changed,</group>
</rule>
Then create a second rule with the second string:
<rule id="100002" level="10">
<if_sid>100001</if_sid>
<match>The system time was changed.</match>
<description>System time changed by VMwareService.exe</
description>
<group>time_changed,</group>
</rule>
Rule 100002 will only trigger if the event contains both strings, and
no alert will happen otherwise.
To unsubscribe from this group, send email to
ossec-list+unsubscribegooglegroups.com or reply to this email with the words
"REMOVE ME" as the subject.
