Hello, each time a go to restart my Ossec, I get a notification
Received From: ossec->ossec-monitord Rule: 502 fired (level 3) -> "Ossec server started." Portion of the log(s): ossec: Ossec started. i also get a level 5 notifications: OSSEC HIDS Notification. 2010 Jun 21 10:03:25 Received From: ossec->/var/log/secure Rule: 5710 fired (level 5) -> "Attempt to login using a non-existent user" Portion of the log(s): Jun 21 10:03:24 ossec sshd[18609]: Failed password for invalid user jimbo from 130.68.4.108 port 50939 ssh2 --END OF NOTIFICATION OSSEC HIDS Notification. 2010 Jun 21 10:03:27 Received From: ossec->/var/log/secure Rule: 5504 fired (level 5) -> "Attempt to login with an invalid user." Portion of the log(s): Jun 21 10:03:26 ossec sshd[18609]: pam_unix(sshd:auth): check pass; user unknown --END OF NOTIFICATION OSSEC HIDS Notification. 2010 Jun 21 10:03:27 Received From: ossec->/var/log/secure Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." Portion of the log(s): i have everything set where it should not send me notifications for anything under level 7. and i have tried the different suggestions with no luck. would the best choice of action be copy these rules, and then put them into the local_rules.xml files and then add in the do not email? Michael
