I did end up doing this, user and hostname. However this isn't the 'optimal' solution as I do prefer to get alerts from the user + hostname at other times then ignoring it every half an hour. I will look more into the element time later on, and see if there's a way to achieve what I were trying to do.
Thanks for the response and help though! Kind regards Den tisdag 4 juli 2017 kl. 20:00:53 UTC+2 skrev Jesus Linares: > > Hi Fredrik, > > do you want to ignore the rule 5501 if it is fired by your script?. is it > not enough with the hostname and the user?. > > Regards. > > On Monday, July 3, 2017 at 12:10:18 PM UTC+2, Fredrik Hilmersson wrote: >> >> Hello, >> >> Lets say I have a script which runs once every half an hour. With a >> latency difference in about 10-20 seconds. >> Would it be possible to match the following: >> >> 1. Time >> 2. Hostname >> 3. Username >> >> The reason I prefer more than a single match, i.e only time is to not by >> mistake miss an actual event. >> >> <rule id="100203" level="0" timeframe="20"> >> >> <if_sid>5501</if_sid> >> <time>**:30</time> >> >> <hostname>agent-hostname</hostname> >> <user>ssh-user</user> >> >> <options>no_email_alert</options> >> >> <description>Ignore rule 5501 for host </description> >> >> </rule> >> >> Kind regards, >> Fredrik >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.