On Thu, Sep 29, 2011 at 11:03 AM, banjer <[email protected]> wrote: > Hi, > I'd like to disable alerts for just my Windows hosts. I'm using a
Why use OSSEC on them if you don't want the alerts? > centralized configuration, so in /var/ossec/etc/shared/agent.conf I > set this: > > > <agent_config os="Windows"> > <alerts> > <log_alert_level>1</log_alert_level> > <!-- Disable email alerts for Windows --> > <email_alert_level>0</email_alert_level> > </alerts> > </agent_config> > Alerts do not come from agents, they come from the manager. > Then restarted ossec and checked md5sum of agent.conf to ensure the > Windows host got the update, but it still sends me emails. > > Is this not something that can be done as a centralized config, i.e. > must be done on the master OSSEC server? If so what conf file should > it go in, and what is the proper xml syntax? > You could possibly create rules to look at the location of the log messages, and if they contain that host ignore them. Haven't really tried this though. > Thanks all, > banjer
