Do you have the <!-- and --> around the rule? If so, the rule is commented out. This one is a tough one to test due to 18152's structure. I'd consider taking out the hostname field to start with, maybe see if that helps.
On Wed, Apr 21, 2010 at 1:56 PM, fusspils <[email protected]> wrote: > Thanks for your reply Dan, > > I have just tried what you suggested but still get the mails. I > restarted the OSSEC server with the same results. The rule now > reads.. > > <!-- Specify here a list of rules to ignore. --> > <!-- > <rule id="1000020" level="0"> > <if_level>10</if_level> > <hostname>BDC|PDC</hostname> > <if_sid>18152</if_sid> > <user>LTDPM1$</user> > <description>Ignoring DPM</description> > </rule> > --> > > > > On Apr 21, 2:06 pm, "dan (ddp)" <[email protected]> wrote: >> Have you tried adding <if_sid>18152</if_sid>? >> >> >> >> On Wed, Apr 21, 2010 at 8:11 AM, fusspils <[email protected]> wrote: >> > I have added the following to my local_rules.xml but I continue to get >> > the alerts emailed, am I missing something else? >> >> > <rule id="1000020" level="0"> >> > <hostname>BDC|PDC</hostname> >> > <if_level>10</if_level> >> > <user>LTDPM1$</user> >> > <description>Ignoring DPM Backup User</description> >> > </rule> >> >> > On Apr 19, 3:38 pm, fusspils <[email protected]> wrote: >> >> Hi, >> >> >> I am constantly getting the Rule: 18152 fired (level 10) -> "Multiple >> >> Windows Logon Failures." Sent to my inbox. It is being created and >> >> sent so many times because of a backup program. Is there a way to >> >> stop it being fired/emailed if the rule is triggered by a certain user >> >> ie/ the backup machines user? >> >> >> I have found a way to disable the rule from firing but would like to >> >> just avoid this one user. >> >> >> Fusspils >> >> >> -- >> >> Subscription >> >> settings:http://groups.google.com/group/ossec-list/subscribe?hl=en- Hide >> >> quoted text - >> >> - Show quoted text - >
