[ossec-list] Re: Email Alerts - Custom Rule

Thu, 17 May 2012 09:28:12 -0700 

the following rule is what is located in msauth_rules.xml
  <rule id="18119" level="3">
    <if_sid>18107</if_sid>
    <options>alert_by_email</options>
    <if_fts />            
    <description>First time this user logged in this system.</description>
    <group>authentication_success,</group>
  </rule>
 
hence I have added the following rule to my local_rule.xml as per your 
suggestion from your post. 
<rule id="18119" level="3"> 
  <if_sid>18107</if_sid>  
  <description>Ignore 18119</description>
</rule>
 
However I'm still getting the email. Any other suggestions? 
 

On Wednesday, May 16, 2012 11:12:16 AM UTC-6, Carmen Payne wrote:

> Good Day Everyone 
>
> I'm very new to OSSEC and am currently in the process of setup the 
> system in our enviroment. I'm looking to turn off one of the email 
> alerts that I have been getting which is the "First time this user 
> logged in this system" event. I have created the custom rule below in 
> the local_rules.xml file and restarted the service but the email still 
> keeps coming. Is there something that I'm missing? Any help would be 
> greatly appreciated. 
>
> <!-- stop email spam from windows --> 
>    <rule id="18119" level="3"noalert="1"> 
>      <if_sid>18119</if_sid> 
>      <options>no_email_alert</options> 
>      <if_fts /> 
>      <description>First time this user logged in this system.</ 
> description> 
>      <group>authentication_success,</group> 
>    </rule> 
>
>
> Thanks 
> Carmen Payne 
> GCFE, GCFA, GCIH


On Wednesday, May 16, 2012 11:12:16 AM UTC-6, Carmen Payne wrote:
>
> Good Day Everyone 
>
> I'm very new to OSSEC and am currently in the process of setup the 
> system in our enviroment. I'm looking to turn off one of the email 
> alerts that I have been getting which is the "First time this user 
> logged in this system" event. I have created the custom rule below in 
> the local_rules.xml file and restarted the service but the email still 
> keeps coming. Is there something that I'm missing? Any help would be 
> greatly appreciated. 
>
> <!-- stop email spam from windows --> 
>    <rule id="18119" level="3"noalert="1"> 
>      <if_sid>18119</if_sid> 
>      <options>no_email_alert</options> 
>      <if_fts /> 
>      <description>First time this user logged in this system.</ 
> description> 
>      <group>authentication_success,</group> 
>    </rule> 
>
>
> Thanks 
> Carmen Payne 
> GCFE, GCFA, GCIH

Reply via email to