Hello Sparks,
It might be possible to do this via OSSEC rules. You might be able to get
the directories that the desired agents are monitoring and ignore the
alerts coming from those specific devices using that directory as a
condition.
The rule that by default is alerting those syscheck changes is the rule
550. Then, you could create a child rule of the latter to only silence the
alerts when a specific directory is monitored. To silence a rule, you just
need to give it level 0. Example:
<group name="ignoring_agentless">
<rule id="100005" level="0">
<if_sid>550</if_sid>
<regex>/agentless/directory\.*</regex>
<description>Ignoring specific agentless directory.</description>
</rule>
</group>
I hope this helps.
Regards,
Jose Manuel Lopez
On Thursday, May 28, 2020 at 8:46:40 PM UTC+2 [email protected] wrote:
> Hello good morning,
>
> Somebody know if exist some option to stop alerting for a specific
> agentless host during OS linux updates? For example if i have 10 agentless
> host how can i stop the alerts for 5 of they?
>
> For example something like that (i know that this doesnt work jeje):
> <agentless>
> <type>ssh_integrity_check_linux</type>
> *<email_notification>no</email_notification>*
> <frequency>36000</frequency>
> <host>[email protected]</host>
> <state>periodic</state>
> <arguments>/home/ossec</arguments>
> </agentless>
>
> Regards
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/a1c5fd0d-59c0-41b3-a45d-271fc8fb38f4n%40googlegroups.com.
