I never used it: http://ossec-docs.readthedocs.io/en/latest/syntax/head_rules.html#element-time
I think is the time when the event comes to the manager (not the original time). On Thursday, July 6, 2017 at 3:46:49 AM UTC+2, dan (ddpbsd) wrote: > > On Mon, Jul 3, 2017 at 6:10 AM, Fredrik Hilmersson > <[email protected] <javascript:>> wrote: > > Hello, > > > > Lets say I have a script which runs once every half an hour. With a > latency > > difference in about 10-20 seconds. > > Would it be possible to match the following: > > > > 1. Time > > 2. Hostname > > 3. Username > > > > The reason I prefer more than a single match, i.e only time is to not by > > mistake miss an actual event. > > > > <rule id="100203" level="0" timeframe="20"> > > > > <if_sid>5501</if_sid> > > <time>**:30</time> > > > > <hostname>agent-hostname</hostname> > > <user>ssh-user</user> > > > > <options>no_email_alert</options> > > > > <description>Ignore rule 5501 for host </description> > > > > </rule> > > > > Where do you plan on getting the time from? The timestamp in the logs > are stripped off and not evaluated. > > > > > Kind regards, > > Fredrik > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
