Hi dear community,
i install and configure about 10 agents, and of course i have a lot of
users,a part of this users are service-users
in policy-rules.xml
i have next rules
<group name="policy_violation,">
<rule id="17101" level="9">
<if_group>authentication_success</if_group>
<time>4 pm - 7 am</time>
<description>Successful login during non-business hours.</description>
<group>login_time,</group>
</rule>
<rule id="17102" level="9">
<if_group>authentication_success</if_group>
<weekday>weekends</weekday>
<description>Successful login during weekend.</description>
<group>login_day,</group>
</rule>
and ii add a rule to ignore user www-data
<rule id="17103" level="0">
<if_sid>17101</if_sid>
<user>www-data</user>
<description>Ignore USERNAME</description>
</rule>
but is not working
also i have a lot of users what begin with
__cpanel__service__auth__ftpd**********
some exaples:
__cpanel__service__auth__ftpd__k0MtRO0qadKcn0W104TiJX_fIUt6NTesiDOXfXjQdao09FHQbymiy9OB4AenozyY
__cpanel__service__auth__ftpd__iNQU40H8hsz0rrHIyB2CSrz47pJhIaWXEvo5Bn9oYK8Jfx0LzN4rK2DqxYfnn_sn
__cpanel__service__auth__ftpd__GkNcCNIvBSTW1ZDvgUd8RmBex9y6AaZ8BXSZFyVe9mLogb7sBHzwDSbggie5zVaE
and ossec mail me for this service-users that they successful login during
non-business hours, i know that but i don't need that data in mail box
how can i exclude all this service users for policy rules?
i appreciate your help, and a lot of respect for developers and community!
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
