Hello, I'm getting a massive influx of emails for one rule and I would like to turn it off or overwrite it.
Alert output. Received From: (HOST) 192.168.1.206->WinEvtLog Rule: 18103 fired (level 5) -> "Windows error event." User: SYSTEM Portion of the log(s): 2019 Feb 21 04:11:19 WinEvtLog: System: ERROR(36887): Schannel: SYSTEM: NT AUTHORITY: HOST.Domain.tld: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 70. type: System I tried adding a rule to match this but it did not work. Using this as a template --> https://groups.google.com/d/msg/ossec-list/fsHVu8w-alI/ylDwKXkN3CMJ I Added it in the etc/rules/local_rules.xml folder of the manager under the default group "<group name="local,syslog,sshd,">" <rule id="101013" level="2" frequency="10" timeframe="1600"> <if_matched_sid>18154</if_matched_sid> <match>WinEvtLog: System: ERROR(36887):</match> <description>turn down the noise on this event</description> </rule> Can anyone let me know where I'm wrong? I never created a custom rule so I'm sure I'm doing something wrong here. Thanks. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
