On Mon, Dec 7, 2015 at 4:06 AM, Maxim Surdu <[email protected]> wrote: > Hi everyone, > > I am new in Ossec, i configure ossec-server and ossec agent, all is working > formidable! > but i need to create an alert to show me people who are logging outside > working hours in my system server or agent > for example my company working hours are Monday-Friday from 09.00 until > 18.00 and i need to know who from my employers working after work-hours! > > Any help would be greatly appreciated >
You should be able to use the <time> option: http://ossec.github.io/docs/syntax/head_rules.html#element-time So something like (totally untested): <rule id="500000" level="10"> <if_group>authentication</if_group> <time>6 pm - 9 am</time> <description>Login after hours</description> </rule> > Thanks, > Maxim > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
