I add this rules; So far seems to be working. <rule id="700679" level="0"> > <if_sid>18152</if_sid> > <hostname>SSP001001-006</hostname> > <description>Ignore multiples login failures</description>
</rule> But not to block 1002 and yes to 18152 To ignore the 1002 Srv-monitor OTRS-otrs.GenericAgent.pl-10[4230]: [Error][Kernel::System::DB::new][Line:227]: Access denied for user 'otrs'@'localhost' (using password: YES) Srv-monitor /USR/SBIN/CRON[4226]: (CRON) error (grandchild #4228 failed with exit status 255) Srv-monitor OTRS-otrs.PostMasterMailbox.pl-10[4232]: [Error][Kernel::System::DB::new][Line:227]: Access denied for user 'otrs'@'localhost' (using password: YES) Srv-monitor /USR/SBIN/CRON[4225]: (CRON) error (grandchild #4229 failed with exit status 255) Srv-monitor OTRS-otrs.GenericAgent.pl-10[4233]: [Error][Kernel::System::DB::new][Line:227]: Access denied for user 'otrs'@'localhost' (using password: YES) Srv-monitor /USR/SBIN/CRON[4227]: (CRON) error (grandchild #4231 failed with exit status 255) Eu terei que criar regras para que quando encontre esses texto eu ignore? Como por exemplo: <rule id="101002" level="0"> > <if_sid>1002</if_sid> > <program_name>^canitd</program_name> > <match>Srv-monitor /USR/SBIN/CRON[4227]: (CRON) error (grandchild > #4231 failed with exit status 255)</match> > </rule> Correto? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
