Strange. I haven't seen these alerts myself, so excuse any silly
questions. Is the offending username included in the alert?
Any complaints in the logs about this rule?
Try running the various ossec daemons with the "-d" flag. This puts
them in a debug mode.
Maybe try something like this:
<rule id="99999" level="0">
<if_sid>18152</if_sid>
<user>LTDPM1</user>
<description>Ignoring DPM</description>
</rule>
I changed the rule id because the documentation says 99999 is the
highest you can use (although I'm thinking I've used higher and had it
work).
On Fri, Apr 23, 2010 at 4:28 AM, fusspils <[email protected]> wrote:
> Yes I did have the <!-- and --> around the rule which I have now
> removed. I also removed the hostname field, restarted the OSSEC
> server but still get the mails. Any other ideas?
>
>
>
--
Subscription settings: http://groups.google.com/group/ossec-list/subscribe?hl=en
