I was looking through my rule files and I saw this rule and was wondering
if the numbers between the <id></id> tags are windows event error id's
since the OSSEC rule id is already at the top of the rule. I am wondering
this because with rule 18154 I want to ignore any events with windows event
log error:(1111). Thank you ahead of time guys!
<rule id="18106" level="5">
<if_sid>18105</if_sid>
<id>^529|^530|^531|^532|^533|^534|^535|^536|^537|^539|^4625</id>
<description>Windows Logon Failure.</description>
<group>win_authentication_failed,</group>
</rule>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
