This is exactly what I was looking for! And I'm really sorry to have wasted your time, I should have read the documentation more carefully, since it's clearly explained there.
Thanks! Il giorno mercoledì 7 settembre 2016 20:02:11 UTC+2, Jesus Linares ha scritto: > > Hi, > > you could overwrite the rule and use *time*. It would be something like: > > *local_rules.xml* > <group name="test,"> > <!-- > ossec: Agent disconnected: 'TestAgent'. > --> > <rule id="504" level="3" overwrite="yes"> > <if_sid>500</if_sid> > <time>03:00 am - 05:00 pm</time> > <options>alert_by_email</options> > <match>Agent disconnected</match> > <description>Ossec agent disconnected.</description> > <group>pci_dss_10.6.1,</group> > </rule> > </group> > > Regards. > > > On Wednesday, September 7, 2016 at 4:12:37 PM UTC+2, Francesco Raimondi > wrote: >> >> Greetings everyone, >> >> I wonder if it's possible to create a new rule or fire an existing one >> based on a specific time period. More specifically, I need to modify the >> rule for the agent disconnection and I need to be alerted only if it's >> fired in between 10:00 - 12:00 AM and 03:00 - 05:00 PM. >> >> Any help would be greatly appreciated. >> >> Frank >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
