On Aug 31, 2013 8:55 PM, "Tim Boyer" <[email protected]> wrote: > > Dan - > > But it's an alert from three different servers. If you go into REMOTEDEV03's logs, you can find where it's having this problem - but you have to go into the logs of the other two servers to find those error messages. Why is it being aggregated into one error message? >
That alert is happening whether it is emailed out or not. The do not group option is for the email, not the alert. > Thanks, > > Tim > > > > On Saturday, August 31, 2013 1:06:10 PM UTC-4, dan (ddpbsd) wrote: >> >> >> On Aug 31, 2013 1:01 PM, "Tim Boyer" <[email protected]> wrote: >> > >> > Running 2.6.15 on a RHEL5 server, and the do_not_group is not working the way I expect. I assume that that is a problem with my expectations, but just in case... >> > >> >> The email you provided only includes 1 alert, not a group of alerts. The alert happens to include multiple log messages, but it is still just 1 alert. >> >> > ossec.conf looks like so: >> > >> > <email_alerts> >> > <email_to>WINDOWS</email_to> >> > <level>5</level> >> > <event_location>192.168.42|192.168.43|192.168.44|192.168.45|192.168.46|192.168.52|192.168.53|192.168.21|192.168.19|192.168.17|192.168.17|192.168.18.40|172.25.17.40|</event_location> >> > <do_not_group /> >> > </email_alerts> >> > >> > but 'Multiple Windows error events' continues to group messages, like so: >> > >> > Received From: (REMOTEDEV03) 192.168.53.52->WinEvtLog >> > Rule: 18154 fired (level 10) -> "Multiple Windows error events." >> > Portion of the log(s): >> > >> > WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no domain: REMOTEDEV03.dev.timboyer.org: The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: %%1058 >> > WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no domain: REMOTEDEV03.dev.timboyer.org: The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: %%1058 >> > WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no domain: REMOTEDEV03.dev.timboyer.org: The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: %%1058 >> > WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no domain: REMOTEDEV03.dev.timboyer.org: The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: %%1058 >> > WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no domain: REMOTEDEV03.dev.timboyer.org: The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: %%1058 >> > WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no domain: LOCALCON01.timboyer.org: The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: %%1058 >> > WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no domain: LOCALCON01.timboyer.org: The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: %%1058 >> > WinEvtLog: System: ERROR(1055): Microsoft-Windows-GroupPolicy: SYSTEM: NT AUTHORITY: REMOTECON01.timboyer.org: The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: a) Name Resolution failure on the current domain controller. b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller). >> > >> > >> > >> > I believe this is only happening with the 'Multiple Windows' alert. Is this a limitation in do_not_group, or is there something I'm doing wrong? >> > >> > Thanks, >> > >> > Tim >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
