Good Day Everyone
I'm very new to OSSEC and am currently in the process of setup the
system in our enviroment. I'm looking to turn off one of the email
alerts that I have been getting which is the "First time this user
logged in this system" event. I have created the custom rule below in
the local_rules.xml file and restarted the service but the email still
keeps coming. Is there something that I'm missing? Any help would be
greatly appreciated.
<!-- stop email spam from windows -->
<rule id="18119" level="3"noalert="1">
<if_sid>18119</if_sid>
<options>no_email_alert</options>
<if_fts />
<description>First time this user logged in this system.</
description>
<group>authentication_success,</group>
</rule>
Thanks
Carmen Payne
GCFE, GCFA, GCIH
