Hi Fredrik, do you want to ignore the rule 5501 if it is fired by your script?. is it not enough with the hostname and the user?.
Regards. On Monday, July 3, 2017 at 12:10:18 PM UTC+2, Fredrik Hilmersson wrote: > > Hello, > > Lets say I have a script which runs once every half an hour. With a > latency difference in about 10-20 seconds. > Would it be possible to match the following: > > 1. Time > 2. Hostname > 3. Username > > The reason I prefer more than a single match, i.e only time is to not by > mistake miss an actual event. > > <rule id="100203" level="0" timeframe="20"> > > <if_sid>5501</if_sid> > <time>**:30</time> > > <hostname>agent-hostname</hostname> > <user>ssh-user</user> > > <options>no_email_alert</options> > > <description>Ignore rule 5501 for host </description> > > </rule> > > Kind regards, > Fredrik > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
