Figure out which events are triggered by the users you're worried about logging into the windows system, and add rules to local_rules.xml to deal with this.
Modifying the rule in sshd_rules.xml is the wrong way to do things. You should use the overwrite="yes" option and put it in local_rules.xml (or write new rules with if_sid): <rule id="5715" level="3" overwrite="yes"> <if_sid>5700</if_sid> <options>alert_by_email</options> <match> ... On Wed, Apr 6, 2011 at 11:57 PM, netkey <[email protected]> wrote: > HI, > > I had installed ossec agent on serviral operation > systems,windows,linux,freebsd etc.Now I want to send the email alerts > to me when the system administrator logining in the system.under linux > or freebsd I can add the options in sshd_rules.xml,like this: > > <rule id="5715" level="3"> > <if_sid>5700</if_sid> > <options>alert_by_email</options> > <match>^Accepted|authenticated.$</match> > <description>SSHD authentication success.</description> > <group>authentication_success,</group> > </rule> > > but how can i do this in windows and ignore src ip is null?
