On Wed, May 16, 2012 at 1:12 PM, Carmen Payne <[email protected]> wrote: > Good Day Everyone > > I'm very new to OSSEC and am currently in the process of setup the > system in our enviroment. I'm looking to turn off one of the email > alerts that I have been getting which is the "First time this user > logged in this system" event. I have created the custom rule below in > the local_rules.xml file and restarted the service but the email still > keeps coming. Is there something that I'm missing? Any help would be > greatly appreciated. >
This is a mess. > <!-- stop email spam from windows --> > <rule id="18119" level="3"noalert="1"> There's a rule in /var/ossec/rules/msauth_rules.xml with the id of 18119. If you want to overwrite it you need to set the overwrite option. > <if_sid>18119</if_sid> If this rule is 18119, how could 18119 have already triggered? > <options>no_email_alert</options> > <if_fts /> > <description>First time this user logged in this system.</ > description> > <group>authentication_success,</group> > </rule> > > > Thanks > Carmen Payne > GCFE, GCFA, GCIH Try: <rule id="145541" level="0"> <if_sid>18119</if_sid> <description>Ignore 18119</description> </rule>
