Hi all, Dan I think Wim has got the idea of what I am trying to accomplish here. The first log I have sent didnt have any ip as I had a modified the localrules.xml. Now I have disables the rule and I can see the ip coming up.
The only thing is OSSEC should contain some kinda mechanism to stop the 3 alerts sids: 5501 5502 5715 when I enter from a specific host with a specific user. This is really creating me a lot of, I mean a lot of alerts that I do not wish to see. Any more ideas here? Thanks a lot. Özgür Özdemircili http://www.acikkod.org Code so clean you could eat off it On Tue, Mar 23, 2010 at 1:47 PM, dan (ddp) <[email protected]> wrote: > From what you sent previously, I only saw the IP address in one of the > log lines. > How do you expect the other alerts to know about the IP address if the > IP is not provided in the log message? > > The sample rule I sent should eliminate one of the alerts when using > ssh (and you'd want to add that user into the match line). > > On Tue, Mar 23, 2010 at 4:14 AM, Ozgur Ozdemircili > <[email protected]> wrote: > > But that will stop alerts from all the server right? > > I have just added 2 more servers as ossec clients. Same problem.. > > As they are weblogic servers they all the time, I mean literally every > > second, connect the other node by ssh and check the health of the server. > > The on the alert log I see 3 messages for every time they log on to each > > other. SIDS 5502/5501/5715 > > > > There are really no ways to do it? I mean we are basically talking about: > > If user a enters from host b do not alert me. > > Any suggestions? > > > > Özgür Özdemircili > > http://www.acikkod.org > > Code so clean you could eat off it > > > > > > To unsubscribe from this group, send email to ossec-list+ > unsubscribegooglegroups.com or reply to this email with the words "REMOVE > ME" as the subject. > To unsubscribe from this group, send email to ossec-list+unsubscribegooglegroups.com or reply to this email with the words "REMOVE ME" as the subject.
