>From what you sent previously, I only saw the IP address in one of the log lines. How do you expect the other alerts to know about the IP address if the IP is not provided in the log message?
The sample rule I sent should eliminate one of the alerts when using ssh (and you'd want to add that user into the match line). On Tue, Mar 23, 2010 at 4:14 AM, Ozgur Ozdemircili <[email protected]> wrote: > But that will stop alerts from all the server right? > I have just added 2 more servers as ossec clients. Same problem.. > As they are weblogic servers they all the time, I mean literally every > second, connect the other node by ssh and check the health of the server. > The on the alert log I see 3 messages for every time they log on to each > other. SIDS 5502/5501/5715 > > There are really no ways to do it? I mean we are basically talking about: > If user a enters from host b do not alert me. > Any suggestions? > > Özgür Özdemircili > http://www.acikkod.org > Code so clean you could eat off it > > To unsubscribe from this group, send email to ossec-list+unsubscribegooglegroups.com or reply to this email with the words "REMOVE ME" as the subject.
