Thank you both for the reply, I created this rule: <rule id="18152" level="0"> <if_sid>18456</if_sid> <match>svc_vesx</match> <options>no_email_alert</options> <description>Ignore svc_vcenter spam</description> </rule>
from the log entry: Received From: (DB01.DOMAIN) 192.168.0.100->WinEvtLog Rule: 18152 fired (level 10) -> "Multiple Windows Logon Failures." Portion of the log(s): WinEvtLog: Application: AUDIT_FAILURE(18456): MSSQLSERVER: svc_vesx: ABC: DB01.DOMAIN: Login failed for user 'ABC\svc_vesx'. Reason: Failed to open the explicitly specified database. [CLIENT: 10.5.115.15] WinEvtLog: Application: AUDIT_FAILURE(18456): MSSQLSERVER: svc_vesx: ABC: DB01.DOMAIN: Login failed for user 'ABC\svc_vesx'. Reason: Failed to open the explicitly specified database. [CLIENT: 10.5.115.15] WinEvtLog: Application: AUDIT_FAILURE(18456): MSSQLSERVER: svc_vesx: ABC: DB01.DOMAIN: Login failed for user 'ABC\svc_vesx'. Reason: Failed to open the explicitly specified database. [CLIENT: 10.5.115.15] WinEvtLog: Application: AUDIT_FAILURE(18456): MSSQLSERVER: svc_vesx: ABC: DB01.DOMAIN: Login failed for user 'ABC\svc_vesx'. Reason: Failed to open the explicitly specified database. [CLIENT: 10.5.115.15] WinEvtLog: Application: AUDIT_FAILURE(18456): MSSQLSERVER: svc_vesx: ABC: DB01.DOMAIN: Login failed for user 'ABC\svc_vesx'. Reason: Failed to open the explicitly specified database. [CLIENT: 10.5.115.15] WinEvtLog: Application: AUDIT_FAILURE(18456): MSSQLSERVER: svc_vesx: ABC: DB01.DOMAIN: Login failed for user 'ABC\svc_vesx'. Reason: Failed to open the explicitly specified database. [CLIENT: 10.5.115.15] WinEvtLog: Application: AUDIT_FAILURE(18456): MSSQLSERVER: svc_vesx: ABC: DB01.DOMAIN: Login failed for user 'ABC\svc_vesx'. Reason: Failed to open the explicitly specified database. [CLIENT: 10.5.115.15] When I attempt to save, I get this message in ossec.log 2013/05/15 07:58:53 rules_op: Invalid root element "rule".Only "group" is allowed 2013/05/15 07:58:53 ossec-testrule(1220): ERROR: Error loading the rules: 'local_rules.xml'. 2013/05/15 08:00:36 ossec-testrule: INFO: Reading local decoder file. 2013/05/15 08:00:36 rules_op: Invalid root element "rule".Only "group" is allowed 2013/05/15 08:00:36 ossec-testrule(1220): ERROR: Error loading the rules: 'local_rules.xml'. Any ideas? On Wed, May 15, 2013 at 6:27 AM, dan (ddp) <[email protected]> wrote: > On Tue, May 14, 2013 at 6:30 PM, OSSEC junkie <[email protected]> > wrote: > > Is there a way to ignore an alert from a particular user? We have an ESX > > environment with a service account that is a bit buggy. It's sending > > invalid login attempts by the thousands on a daily basis. Is it > possible > > to configure OSSEC to ignore any rule created by "svc_vesx" but still log > > invalid login attempts as expected? > > > > I would think it is but want to get the expert opinion. Thanks! > > > > Without seeing the log message, and how it's decoded, I'll go with "yes." > > <rule id="blahblah" level="0"> > <if_sid>whatever_is_flooding</if_sid> > <user>USER</user> > </rule> > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
