On Tue, May 14, 2013 at 6:30 PM, OSSEC junkie <[email protected]> wrote: > Is there a way to ignore an alert from a particular user? We have an ESX > environment with a service account that is a bit buggy. It's sending > invalid login attempts by the thousands on a daily basis. Is it possible > to configure OSSEC to ignore any rule created by "svc_vesx" but still log > invalid login attempts as expected? > > I would think it is but want to get the expert opinion. Thanks! >
Without seeing the log message, and how it's decoded, I'll go with "yes." <rule id="blahblah" level="0"> <if_sid>whatever_is_flooding</if_sid> <user>USER</user> </rule> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
