I would think that in your local rules you could write a new rule, use
match to set up your condition, then the option of no_email_alert. I've
got them all over the place, and they're working.
<rule id="100xxx" level="0">
<if_sid>4100</if_sid>
<match>svc_vesx</match>
<options>no_email_alert</options>
<description>Ignores whatever you want</description>
</rule>
On Tuesday, May 14, 2013 5:30:12 PM UTC-5, OSSEC junkie wrote:
> Is there a way to ignore an alert from a particular user? We have an ESX
> environment with a service account that is a bit buggy. It's sending
> invalid login attempts by the thousands on a daily basis. Is it possible
> to configure OSSEC to ignore any rule created by "svc_vesx" but still log
> invalid login attempts as expected?
>
> I would think it is but want to get the expert opinion. Thanks!
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
