Thanks for your reply Dan, I have just tried what you suggested but still get the mails. I restarted the OSSEC server with the same results. The rule now reads..
<!-- Specify here a list of rules to ignore. --> <!-- <rule id="1000020" level="0"> <if_level>10</if_level> <hostname>BDC|PDC</hostname> <if_sid>18152</if_sid> <user>LTDPM1$</user> <description>Ignoring DPM</description> </rule> --> On Apr 21, 2:06 pm, "dan (ddp)" <[email protected]> wrote: > Have you tried adding <if_sid>18152</if_sid>? > > > > On Wed, Apr 21, 2010 at 8:11 AM, fusspils <[email protected]> wrote: > > I have added the following to my local_rules.xml but I continue to get > > the alerts emailed, am I missing something else? > > > <rule id="1000020" level="0"> > > <hostname>BDC|PDC</hostname> > > <if_level>10</if_level> > > <user>LTDPM1$</user> > > <description>Ignoring DPM Backup User</description> > > </rule> > > > On Apr 19, 3:38 pm, fusspils <[email protected]> wrote: > >> Hi, > > >> I am constantly getting the Rule: 18152 fired (level 10) -> "Multiple > >> Windows Logon Failures." Sent to my inbox. It is being created and > >> sent so many times because of a backup program. Is there a way to > >> stop it being fired/emailed if the rule is triggered by a certain user > >> ie/ the backup machines user? > > >> I have found a way to disable the rule from firing but would like to > >> just avoid this one user. > > >> Fusspils > > >> -- > >> Subscription > >> settings:http://groups.google.com/group/ossec-list/subscribe?hl=en- Hide > >> quoted text - > > - Show quoted text -
