Yes I did have the <!-- and --> around the rule which I have now removed. I also removed the hostname field, restarted the OSSEC server but still get the mails. Any other ideas?
On Apr 21, 9:30 pm, "dan (ddp)" <[email protected]> wrote: > Do you have the <!-- and --> around the rule? If so, the rule is commented > out. > This one is a tough one to test due to 18152's structure. I'd consider > taking out the hostname field to start with, maybe see if that helps. > > > > On Wed, Apr 21, 2010 at 1:56 PM, fusspils <[email protected]> wrote: > > Thanks for your reply Dan, > > > I have just tried what you suggested but still get the mails. I > > restarted the OSSEC server with the same results. The rule now > > reads.. > > > <!-- Specify here a list of rules to ignore. --> > > <!-- > > <rule id="1000020" level="0"> > > <if_level>10</if_level> > > <hostname>BDC|PDC</hostname> > > <if_sid>18152</if_sid> > > <user>LTDPM1$</user> > > <description>Ignoring DPM</description> > > </rule> > > --> > > > On Apr 21, 2:06 pm, "dan (ddp)" <[email protected]> wrote: > >> Have you tried adding <if_sid>18152</if_sid>? > > >> On Wed, Apr 21, 2010 at 8:11 AM, fusspils <[email protected]> wrote: > >> > I have added the following to my local_rules.xml but I continue to get > >> > the alerts emailed, am I missing something else? > > >> > <rule id="1000020" level="0"> > >> > <hostname>BDC|PDC</hostname> > >> > <if_level>10</if_level> > >> > <user>LTDPM1$</user> > >> > <description>Ignoring DPM Backup User</description> > >> > </rule> > > >> > On Apr 19, 3:38 pm, fusspils <[email protected]> wrote: > >> >> Hi, > > >> >> I am constantly getting the Rule: 18152 fired (level 10) -> "Multiple > >> >> Windows Logon Failures." Sent to my inbox. It is being created and > >> >> sent so many times because of a backup program. Is there a way to > >> >> stop it being fired/emailed if the rule is triggered by a certain user > >> >> ie/ the backup machines user? > > >> >> I have found a way to disable the rule from firing but would like to > >> >> just avoid this one user. > > >> >> Fusspils > > >> >> -- > >> >> Subscription > >> >> settings:http://groups.google.com/group/ossec-list/subscribe?hl=en-Hide > >> >> quoted text - > > >> - Show quoted text -- Hide quoted text - > > - Show quoted text -
