Hi,
you could overwrite the rule and use *time*. It would be something like:
*local_rules.xml*
<group name="test,">
<!--
ossec: Agent disconnected: 'TestAgent'.
-->
<rule id="504" level="3" overwrite="yes">
<if_sid>500</if_sid>
<time>03:00 am - 05:00 pm</time>
<options>alert_by_email</options>
<match>Agent disconnected</match>
<description>Ossec agent disconnected.</description>
<group>pci_dss_10.6.1,</group>
</rule>
</group>
Regards.
On Wednesday, September 7, 2016 at 4:12:37 PM UTC+2, Francesco Raimondi
wrote:
>
> Greetings everyone,
>
> I wonder if it's possible to create a new rule or fire an existing one
> based on a specific time period. More specifically, I need to modify the
> rule for the agent disconnection and I need to be alerted only if it's
> fired in between 10:00 - 12:00 AM and 03:00 - 05:00 PM.
>
> Any help would be greatly appreciated.
>
> Frank
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
