Still struggling with this....and am guessing the documentation is out there to solve it but...
Q is there a link someone can suggest (or a thread from this group) that outlines for a newbie at the most basic level, how to create a simple rule (and decoder?) that sends an alert if a specific event happens in the windows event log? Thank you. On Wednesday, January 4, 2023 at 12:05:32 PM UTC-5 Secure moi wrote: > Hi All, new to the group, new to Ossec. I have set up an Ossec server > (Linux) and several windows clients. I would like to get alerts for > specific windows event log events, and have set up a dummy event. It > works, I get an alert. The problem I'm having is I get the alert > continuously. (the best I've achieved is to throttle the alerts back to one > every hour). I'd like (possibly at the server end?) to filter these > alerts so that once I've seen them, I don't get more alerts. I can't > delete event log data, so am wondering if there's a way to do this with ids > and date/time stamps?. > > E.g., in my client ossec.config, I have the following rule (which is aimed > at a fake event for testing):: > <localfile> > <location>Application</location> > <log_format>eventchannel</log_format> > <query>Event/Application[EventID=1]</query> > </localfile> > > How would I filter the alert related to this rule out once I was ready to > do so? Is there a way to wild card dates, so that any alerts for this ID > and before a certain date or date range from "today" don't get sent? I > assume this is probably something I should have been able to find in the > documentation or in this group's threads..... > > Hoping to get a "how to link"....maybe that touches on doing this with > rules and decoders? > > Thx! > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/8bb96bfe-36cd-4836-a318-b3d4aecbc07cn%40googlegroups.com.
