Have you tried adding <if_sid>18152</if_sid>?
On Wed, Apr 21, 2010 at 8:11 AM, fusspils <[email protected]> wrote: > I have added the following to my local_rules.xml but I continue to get > the alerts emailed, am I missing something else? > > <rule id="1000020" level="0"> > <hostname>BDC|PDC</hostname> > <if_level>10</if_level> > <user>LTDPM1$</user> > <description>Ignoring DPM Backup User</description> > </rule> > > > On Apr 19, 3:38 pm, fusspils <[email protected]> wrote: >> Hi, >> >> I am constantly getting the Rule: 18152 fired (level 10) -> "Multiple >> Windows Logon Failures." Sent to my inbox. It is being created and >> sent so many times because of a backup program. Is there a way to >> stop it being fired/emailed if the rule is triggered by a certain user >> ie/ the backup machines user? >> >> I have found a way to disable the rule from firing but would like to >> just avoid this one user. >> >> Fusspils >> >> -- >> Subscription >> settings:http://groups.google.com/group/ossec-list/subscribe?hl=en >
