I think the OP's original statement is valid, why is OSSEC reporting valid fire on alert 40501 when multiple hosts are involved (l-logbackup1 and l-interdb3)?
Seems this alert should only fire where the host is a match. On Monday, May 13, 2013 at 10:21:56 AM UTC-7, Jason Frisvold wrote: > > root wrote: > > hi,all > > > > There is a problem,when some host make a different log,ossec can > > associated and has False positives! > > Not a bug, it's by design. It's called grouping. If you want to > disable it, you need to add <do_not_group /> to your global email > settings. > > > http://www.ossec.net/doc/syntax/head_ossec_config.email_alerts.html#element-do_not_group > > > -- > --------------------------- > Jason 'XenoPhage' Frisvold > [email protected] <javascript:> > --------------------------- > > "Any sufficiently advanced magic is indistinguishable from technology.\" > - Niven's Inverse of Clarke's Third Law > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
