I have added the following to my local_rules.xml but I continue to get the alerts emailed, am I missing something else?
<rule id="1000020" level="0"> <hostname>BDC|PDC</hostname> <if_level>10</if_level> <user>LTDPM1$</user> <description>Ignoring DPM Backup User</description> </rule> On Apr 19, 3:38 pm, fusspils <[email protected]> wrote: > Hi, > > I am constantly getting the Rule: 18152 fired (level 10) -> "Multiple > Windows Logon Failures." Sent to my inbox. It is being created and > sent so many times because of a backup program. Is there a way to > stop it being fired/emailed if the rule is triggered by a certain user > ie/ the backup machines user? > > I have found a way to disable the rule from firing but would like to > just avoid this one user. > > Fusspils > > -- > Subscription > settings:http://groups.google.com/group/ossec-list/subscribe?hl=en
