Sounds good. What I wanted to accomplish was fire a rule between 6:00 am and 6:00 pm Monday through Friday. Doing <time>6 am - 6 pm</time> works great. If I add <weekday>Monday - Friday</weekday> is balks. I had to do <weekday>weekdays</weekday> to get it to work. Obviously the second options is cleaner. Just not sure why the first caused an error.
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Monday, August 13, 2012 9:22 AM To: [email protected] Subject: Re: [ossec-list] Ignoring alerts at certain times of the day On Mon, Aug 13, 2012 at 10:16 AM, Nelson, James <[email protected]> wrote: > Thank you. I did see that, but the syntax was an issue. Looks like weekday > is the other one I need. Thanks for the link. I searched the site and > nothing was coming up. > I'll try to add an example (like the one in your previous email) to the documentation page. I feel like the syntax has been an issue before. Thanks! > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of dan (ddp) > Sent: Monday, August 13, 2012 9:13 AM > To: [email protected] > Subject: Re: [ossec-list] Ignoring alerts at certain times of the day > > On Mon, Aug 13, 2012 at 9:55 AM, Nelson, James <[email protected]> wrote: >> How would I write a custom rule to set the level of certain rules to >> 0 during a specific time of day. For example, I want to ignore >> logins on a machine during office hours. >> >> >> >> Thanks > > You could try > http://www.ossec.net/doc/syntax/head_rules.html#element-time
