Look in ossec.conf for the following lines: <alerts> <log_alert_level>2</log_alert_level> <email_alert_level>8</email_alert_level> </alerts>
Any alerts you don't want to be emailed about has to have a level lower than what the email_alert_level is set at . On Wednesday, May 16, 2012 at 12:12:16 PM UTC-5, Carmen Payne wrote: > > Good Day Everyone > > I'm very new to OSSEC and am currently in the process of setup the > system in our enviroment. I'm looking to turn off one of the email > alerts that I have been getting which is the "First time this user > logged in this system" event. I have created the custom rule below in > the local_rules.xml file and restarted the service but the email still > keeps coming. Is there something that I'm missing? Any help would be > greatly appreciated. > > <!-- stop email spam from windows --> > <rule id="18119" level="3"noalert="1"> > <if_sid>18119</if_sid> > <options>no_email_alert</options> > <if_fts /> > <description>First time this user logged in this system.</ > description> > <group>authentication_success,</group> > </rule> > > > Thanks > Carmen Payne > GCFE, GCFA, GCIH -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
