It seems like "weekdays" is the one that works. It works as expected. Thanks!
On Oct 25, 2:16 pm, "dan (ddp)" <[email protected]> wrote: > On Mon, Oct 25, 2010 at 4:46 PM, Jeremy Lee <[email protected]> wrote: > > I just tested <weekday>weekday</weekday> and it threw an error upon > > restarting OSSEC. I tried with "weekdays" and it seemed to go through fine. > > I'm testing out a rule now. I guess I'll leave "weekdays" in and post > > another update if there are no alerts on the weekend! > > Please let us know. I'll make a note to try and check the source tomorrow. > > > On Mon, Oct 25, 2010 at 1:41 PM, dan (ddp) <[email protected]> wrote: > > >> On Mon, Oct 25, 2010 at 4:31 PM, Jeremy Lee <[email protected]> wrote: > >> > Nevermind, I think that's it... one question on the "<weekday>" flag > >> > though. > >> > What parameter would I use for the actual weekdays? Just "weekday" or > >> > "weekdays" ? In the example, it lists specific days and "weekends" > > >> It looks like "weekday": > >>http://www.ossec.net/doc/syntax/head_rules.html#element-group.rule.we... > >> I'd have to check the source to get more information. > > >> > On Mon, Oct 25, 2010 at 1:21 PM, Jeremy Lee <[email protected]> wrote: > > >> >> Thanks Dan... btw, is the option to have a rule fire at a specific time > >> >> just "<time>" within the rule ID itself? > > >> >>http://www.mail-archive.com/[email protected]/msg07544.html > > >> >> On Sun, Oct 24, 2010 at 1:09 PM, dan (ddp) <[email protected]> wrote: > > >> >>> On Sat, Oct 23, 2010 at 11:27 PM, Jeremy Lee <[email protected]> wrote: > >> >>> > It shows it is here: > >> >>> >http://www.ossec.net/wiki/Know_How:GranularEmail > > >> >>> > example: > > >> >>> > <email_alerts> > >> >>> > <email_to>[email protected]</email_to> > >> >>> > <rule_id>123, 124</rule_id> > >> >>> > <do_not_delay /> > >> >>> > <do_not_group /> > >> >>> > </email_alerts> > > >> >>> > Was that a mistake in the older doc? > > >> >>> > BTW: is there a way to get OSSEC to log/email alerts in a specific > >> >>> > time > >> >>> > window (i.e. between 8am-5pm) ? > > >> >>> In my other email I meant set <email_alert_level> to a lower number to > >> >>> see if that helps. It looks like analysisd only compares the rule's > >> >>> level to <email_alert_level> to decide whether to send out an email or > >> >>> not. I'm going to ask for confirmation before updating the docs with > >> >>> this information. > > >> >>> I don't see an option to email during a certain time, but there are > >> >>> options for the rules to only fire during certain times.
