Dan - But it's an alert from three different servers. If you go into REMOTEDEV03's logs, you can find where it's having this problem - but you have to go into the logs of the other two servers to find those error messages. Why is it being aggregated into one error message?
Thanks, Tim On Saturday, August 31, 2013 1:06:10 PM UTC-4, dan (ddpbsd) wrote: > > > On Aug 31, 2013 1:01 PM, "Tim Boyer" <[email protected] <javascript:>> > wrote: > > > > Running 2.6.15 on a RHEL5 server, and the do_not_group is not working > the way I expect. I assume that that is a problem with my expectations, > but just in case... > > > > The email you provided only includes 1 alert, not a group of alerts. The > alert happens to include multiple log messages, but it is still just 1 > alert. > > > ossec.conf looks like so: > > > > <email_alerts> > > <email_to>WINDOWS</email_to> > > <level>5</level> > > > <event_location>192.168.42|192.168.43|192.168.44|192.168.45|192.168.46|192.168.52|192.168.53|192.168.21|192.168.19|192.168.17|192.168.17|192.168.18.40|172.25.17.40|</event_location> > > <do_not_group /> > > </email_alerts> > > > > but 'Multiple Windows error events' continues to group messages, like so: > > > > Received From: (REMOTEDEV03) 192.168.53.52->WinEvtLog > > Rule: 18154 fired (level 10) -> "Multiple Windows error events." > > Portion of the log(s): > > > > WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no > domain: REMOTEDEV03.dev.timboyer.org: The WinHTTP Web Proxy > Auto-Discovery Service service depends on the DHCP Client service which > failed to start because of the following error: %%1058 > > WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no > domain: REMOTEDEV03.dev.timboyer.org: The WinHTTP Web Proxy > Auto-Discovery Service service depends on the DHCP Client service which > failed to start because of the following error: %%1058 > > WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no > domain: REMOTEDEV03.dev.timboyer.org: The WinHTTP Web Proxy > Auto-Discovery Service service depends on the DHCP Client service which > failed to start because of the following error: %%1058 > > WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no > domain: REMOTEDEV03.dev.timboyer.org: The WinHTTP Web Proxy > Auto-Discovery Service service depends on the DHCP Client service which > failed to start because of the following error: %%1058 > > WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no > domain: REMOTEDEV03.dev.timboyer.org: The WinHTTP Web Proxy > Auto-Discovery Service service depends on the DHCP Client service which > failed to start because of the following error: %%1058 > > WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no > domain: LOCALCON01.timboyer.org: The WinHTTP Web Proxy Auto-Discovery > Service service depends on the DHCP Client service which failed to start > because of the following error: %%1058 > > WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no > domain: LOCALCON01.timboyer.org: The WinHTTP Web Proxy Auto-Discovery > Service service depends on the DHCP Client service which failed to start > because of the following error: %%1058 > > WinEvtLog: System: ERROR(1055): Microsoft-Windows-GroupPolicy: SYSTEM: > NT AUTHORITY: REMOTECON01.timboyer.org: The processing of Group Policy > failed. Windows could not resolve the computer name. This could be caused > by one of more of the following: a) Name Resolution failure on the > current domain controller. b) Active Directory Replication Latency (an > account created on another domain controller has not replicated to the > current domain controller). > > > > > > > > I believe this is only happening with the 'Multiple Windows' alert. Is > this a limitation in do_not_group, or is there something I'm doing wrong? > > > > Thanks, > > > > Tim > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
