Hello all and Happy Holidays,
I setup a rule to look for log-in's after hours as follows:
<group name="after hours log in's,">
<rule id="500000" level="10">
<if_group>authentication</if_group>
<time>6 pm - 9 am</time>
<description>Login after hours</description>
</rule>
<rule id="500001" level="0">
<if_sid>500000</if_sid>
<user>USERNAME</user>
<description>Ignore USERNAME</description>
</rule>
</group>
The first rule tries to pickup all logins after hours, and the subordinate
rule tries to strip out none human accounts such as service accounts and
machine accounts.
The issue I am having is this rule picks EVERY login including (service
accounts and machine accounts) which I have tried to enter in between
brackets like COMP-01|COMP-02 | SERVICE ACCOUNT-1 | and so on. I was
wondering if I have a whole bunch of computer /service accounts (i.e.
COMP-01, COMP-02) how to use a regular expression to enter a single filter
which covers all the machine names (i.e. COMP*.* in dos-ease).
Thanks,
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
