Try <if_matched_group>syscheck</if_matched_group> http://www.ossec.net/main/manual/manual-syscheck/
On Mon, Aug 9, 2010 at 4:09 AM, JohnB7 <[email protected]> wrote: > I tried a few different ones but nothing worked, examples below. > When i tested with ossec logtest nothing reported back. > > > <rule id="100014" level="0" > > <if_group>syscheck</if_group> > <description>Changes ignored.</description> > <match>/etc/</match> > </rule> > > <rule id="100015" level="0"> > <if_sid>550</if_sid> > <match>/etc</match> > <description>Events ignored</description> > </rule> > > > > > > On Aug 7, 2:27 am, "dan (ddp)" <[email protected]> wrote: >> On Fri, Aug 6, 2010 at 10:44 AM, JohnB7 <[email protected]> wrote: >> > Hi , >> >> > I am trying to stop rule 550 from sending emails but cannot complete. >> > I created a rule for it but it does not work. >> >> > Does anyone know how to stop these emails from arriving. >> > I am new to OSSEC so do not fully understand how it works. >> >> Post the rule you added. Did you restart ossec after adding the rule? >> It should be something like: >> >> <rule id="blahblah" level="0"> >> <if_sid>550</if_sid> >> <description>Ignore alert.</description> >> </rule>
