I tried a few different ones but nothing worked, examples below. When i tested with ossec logtest nothing reported back.
<rule id="100014" level="0" > <if_group>syscheck</if_group> <description>Changes ignored.</description> <match>/etc/</match> </rule> <rule id="100015" level="0"> <if_sid>550</if_sid> <match>/etc</match> <description>Events ignored</description> </rule> On Aug 7, 2:27 am, "dan (ddp)" <[email protected]> wrote: > On Fri, Aug 6, 2010 at 10:44 AM, JohnB7 <[email protected]> wrote: > > Hi , > > > I am trying to stop rule 550 from sending emails but cannot complete. > > I created a rule for it but it does not work. > > > Does anyone know how to stop these emails from arriving. > > I am new to OSSEC so do not fully understand how it works. > > Post the rule you added. Did you restart ossec after adding the rule? > It should be something like: > > <rule id="blahblah" level="0"> > <if_sid>550</if_sid> > <description>Ignore alert.</description> > </rule>
