Hi Michael
I have a rule limiting alerts on 18154 events inside my local_rules.xml file
<rule id="101013" level="7" frequency="4" timeframe="1600">
<if_matched_sid>18154</if_matched_sid>
<match>WinEvtLog: System: ERROR(13): NPS:</match>
<description>turn down the noise on this event</description>
</rule>
My understanding is that this rule will generate an email (level 7) after more
than 4 matching events, and will not send more than one alert every 1600
seconds.
http://www.ossec.net/ossec-docs/OSSEC-book-ch4.pdf
Read the section on Understanding rules of this doc it helped me a lot to grasp
alert filtering.
I'm still new to this. If someone sees an error with my rule, I don't mind if
you point out the error of my ways...
cheers
-tom
----- Original Message -----
From: "Michael Barrett" <[email protected]>
To: [email protected]
Sent: Thursday, March 15, 2012 8:42:14 AM
Subject: [ossec-list] Turn off rule?
Is there a way to configure the ossec agent to ignore specific windows events?
I have an application that is mis-behaving and its creating ossec alerts for
multiple windows events
Rule: 18154 (level 10) -> 'Multiple Windows error events.'
Can I configure OSSEC agent to eliminate rule 18154?
____________________________________________
Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty
Insurance Corporation
270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7
1.888.601.4440 | * [email protected]
This message is intended for use only by the person(s) addressed above and may
contain privileged and confidential information. Disclosure or use of this
message by any other person is strictly prohibited. If this message is received
in error, please notify the sender immediately and delete this message.
