We are mainly using OSSEC for its ability to collect logs from Windows and Linux and "categorize" them with the various rules. We have monitoring in place with nagios currently, so don't really need that. Thanks for the tips, I may just disable alerts altogether.
On Sep 29, 1:05 pm, "dan (ddp)" <[email protected]> wrote: > On Thu, Sep 29, 2011 at 11:03 AM,banjer<[email protected]> wrote: > > Hi, > > I'd like to disable alerts for just my Windows hosts. I'm using a > > Why use OSSEC on them if you don't want the alerts? > > > centralized configuration, so in /var/ossec/etc/shared/agent.conf I > > set this: > > > <agent_config os="Windows"> > > <alerts> > > <log_alert_level>1</log_alert_level> > > <!-- Disable email alerts for Windows --> > > <email_alert_level>0</email_alert_level> > > </alerts> > > </agent_config> > > Alerts do not come from agents, they come from the manager. > > > Then restarted ossec and checked md5sum of agent.conf to ensure the > > Windows host got the update, but it still sends me emails. > > > Is this not something that can be done as a centralized config, i.e. > > must be done on the master OSSEC server? If so what conf file should > > it go in, and what is the proper xml syntax? > > You could possibly create rules to look at the location of the log > messages, and if they contain that host ignore them. Haven't really > tried this though. > > > > > > > > > Thanks all, > >banjer
