Hi All, new to the group, new to Ossec. I have set up an Ossec server
(Linux) and several windows clients. I would like to get alerts for
specific windows event log events, and have set up a dummy event. It
works, I get an alert. The problem I'm having is I get the alert
continuously. (the best I've achieved is to throttle the alerts back to one
every hour). I'd like (possibly at the server end?) to filter these
alerts so that once I've seen them, I don't get more alerts. I can't
delete event log data, so am wondering if there's a way to do this with ids
and date/time stamps?.
E.g., in my client ossec.config, I have the following rule (which is aimed
at a fake event for testing)::
<localfile>
<location>Application</location>
<log_format>eventchannel</log_format>
<query>Event/Application[EventID=1]</query>
</localfile>
How would I filter the alert related to this rule out once I was ready to
do so? Is there a way to wild card dates, so that any alerts for this ID
and before a certain date or date range from "today" don't get sent? I
assume this is probably something I should have been able to find in the
documentation or in this group's threads.....
Hoping to get a "how to link"....maybe that touches on doing this with
rules and decoders?
Thx!
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/19b451ee-3acf-4a7f-9136-c14110dc1683n%40googlegroups.com.
