On Thu, May 17, 2012 at 12:23 PM, Carmen Payne <[email protected]> wrote: > the following rule is what is located in msauth_rules.xml > <rule id="18119" level="3"> > <if_sid>18107</if_sid> > <options>alert_by_email</options> > > <if_fts /> > <description>First time this user logged in this system.</description> > <group>authentication_success,</group> > </rule> > > hence I have added the following rule to my local_rule.xml as per your > suggestion from your post. > <rule id="18119" level="3"> > <if_sid>18107</if_sid> > <description>Ignore 18119</description> > </rule> > > However I'm still getting the email. Any other suggestions? >
This is in no way what I suggested. I suggest you reread my message. Please explain why you added that rule to your local_rules.xml. I want to know how this makes sense. > > On Wednesday, May 16, 2012 11:12:16 AM UTC-6, Carmen Payne wrote: >> >> Good Day Everyone >> >> I'm very new to OSSEC and am currently in the process of setup the >> system in our enviroment. I'm looking to turn off one of the email >> alerts that I have been getting which is the "First time this user >> logged in this system" event. I have created the custom rule below in >> the local_rules.xml file and restarted the service but the email still >> keeps coming. Is there something that I'm missing? Any help would be >> greatly appreciated. >> >> <!-- stop email spam from windows --> >> <rule id="18119" level="3"noalert="1"> >> <if_sid>18119</if_sid> >> <options>no_email_alert</options> >> <if_fts /> >> <description>First time this user logged in this system.</ >> description> >> <group>authentication_success,</group> >> </rule> >> >> >> Thanks >> Carmen Payne >> GCFE, GCFA, GCIH > > > On Wednesday, May 16, 2012 11:12:16 AM UTC-6, Carmen Payne wrote: >> >> Good Day Everyone >> >> I'm very new to OSSEC and am currently in the process of setup the >> system in our enviroment. I'm looking to turn off one of the email >> alerts that I have been getting which is the "First time this user >> logged in this system" event. I have created the custom rule below in >> the local_rules.xml file and restarted the service but the email still >> keeps coming. Is there something that I'm missing? Any help would be >> greatly appreciated. >> >> <!-- stop email spam from windows --> >> <rule id="18119" level="3"noalert="1"> >> <if_sid>18119</if_sid> >> <options>no_email_alert</options> >> <if_fts /> >> <description>First time this user logged in this system.</ >> description> >> <group>authentication_success,</group> >> </rule> >> >> >> Thanks >> Carmen Payne >> GCFE, GCFA, GCIH
