Hi, I am trying to filter out the following alert which comes because we currently have an issue with our site scope (HOSTNAME) server, I would like to filter it until the issue is resolved as it is causing my log rotation to fail even though I appear to have plenty of disk space during normal daily operation. I have tried to filter it out with the local rule below, but am still seeing the alert slip through. I was trying to just filter the hostname name out so I didn't see this alert only for the site scope (HOSTNAME) server. I don't necessarily what to filter out all WinEvtLog: Security: AUDIT_FAILURE(4776) alerts.
2015 Aug 17 09:38:46 WinEvtLog: Security: AUDIT_FAILURE(4776): Microsoft-Windows-Security-Auditing: (no user): no domain: windows_host.xx.xx.xx.com: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: HOSTNAME$ Source Workstation: HOSTNAME Error Code: 0xc0000064 <!-- 100055 Filter out HOSTNAME --> <rule id="100055" level="0"> <if_sid>18153</if_sid> <match> HOSTNAME </match> <description>Events ignored</description> </rule> Thanks Robert -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
