Hi, I would try modifying ossec-single-line plugin (/etc/ossim/agent/plugins/ossec-single-line.cfg) regular expressions not to match alerts when they include the $ sign.
You can use regexp.py tool to identify the rule, in the plugin, matching your alerts (you can find it here: https://www.alienvault.com/forums/discussion/1772/fixed-regexp-py-script-to-work-like-agent-does ) Another option would be modifying OSSEC rules not to trigger the alerts when they have the $ sign. I guess your issue is related to rule 18106 or 18107. You could create your own rules (in /var/ossec/rules/local_rules.xml) and overwrite existing ones. I hope it helps On Wed, Jun 17, 2015 at 11:40 PM, TVS-Rick <[email protected] > wrote: > Hello, > > I'm looking to generate a report that shows login/logout times of actual > users. > I am using AlienVault to generate the report. AlienVault does not provide > a solution to exclude particular users, so I am hoping ossec can. > > > Basically, I have lists of thousands of login/logout events, but the vast > majority of them is the system account. I want to exclude all 'usernames' > that have a trailing $ dollar sign. > > The catch: I still want to log the system events, so I can't just > completely exclude them. > > > I hope this has made sense. > > Thanks > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
