So does the 'time' rule do what I think it does, or am I completely off
base here? We're doing a reboot at 5AM every morning, and have in
local_rules
<rule id="100360" level="0">
<time>5:00 am - 5:30 am</time>
<hostname>TABSRV3</hostname>
<description>Ignore SRV3 reboot</description>
</rule>
and yet are still getting this:
OSSEC HIDS Notification.
2013 Sep 13 05:20:09
Received From: (TABSRV3) 192.168.42.49->WinEvtLog
Rule: 18154 fired (level 10) -> "Multiple Windows error events."
Portion of the log(s):
WinEvtLog: Application: ERROR(10): WinMgmt: (no user): no domain: TABSRV3:
Event filter with query "select * from HP_McSystemEvent" could not be
(re)activated in namespace "//./root/WMI" because of error 0x80041010.
Events may not be delivered through this filter until the problem is
corrected.
WinEvtLog: Application: ERROR(10): WinMgmt: (no user): no domain: TABSRV3:
Event filter with query "select * from HP_InitCompleteEvent" could not be
(re)activated in namespace "//./root/WMI" because of error 0x80041010.
Events may not be delivered through this filter until the problem is
corrected.
WinEvtLog: Application: ERROR(10): WinMgmt: (no user): no domain: TABSRV3:
Event filter with query "select * from HP_McSystemEvent" could not be
(re)activated in namespace "//./root/WMI" because of error 0x80041010.
Events may not be delivered through this filter until the problem is
corrected.
WinEvtLog: Application: ERROR(10): WinMgmt: (no user): no domain: TABSRV3:
Event filter with query "select * from HP_InitCompleteEvent" could not be
(re)activated in namespace "//./root/WMI" because of error 0x80041010.
Events may not be delivered through this filter until the problem is
corrected.
WinEvtLog: Application: ERROR(10): WinMgmt: (no user): no domain: TABSRV3:
Event filter with query "select * from HP_McSystemEvent" could not be
(re)activated in namespace "//./root/WMI" because of error 0x80041010.
Events may not be delivered through this filter until the problem is
corrected.
WinEvtLog: Application: ERROR(1008): Perflib: (no user): no domain:
TABSRV3: The Open Procedure for service "Oracle StorageDB Service" in DLL
"C:\WINDOWS\System32\StorageDBPerf.dll" failed. Performance data for this
service will not be available. The Status code returned is the first DWORD
in the attached data.
WinEvtLog: Application: ERROR(10): WinMgmt: (no user): no domain: TABSRV3:
Event filter with query "select * from HP_McSystemEvent" could not be
(re)activated in namespace "//./root/WMI" because of error 0x80041010.
Events may not be delivered through this filter until the problem is
corrected.
WinEvtLog: Application: ERROR(10): WinMgmt: (no user): no domain: TABSRV3:
Event filter with query "select * from HP_InitCompleteEvent" could not be
(re)activated in namespace "//./root/WMI" because of error 0x80041010.
Events may not be delivered through this filter until the problem is
corrected.
--END OF NOTIFICATION
What am I missing here? Thanks...
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
