You can generally create rules to ignore logs you don't care about. In the case of 18154, you should look at the collected log messages and create rules to ignore the individual ones you don't want to see. If you keep them from firing 18103 alerts, then 18154 won't be triggered.
On Thu, Mar 15, 2012 at 11:42 AM, Michael Barrett <[email protected]> wrote: > > Is there a way to configure the ossec agent to ignore specific windows > events? I have an application that is mis-behaving and its creating ossec > alerts for multiple windows events > > Rule: 18154 (level 10) -> 'Multiple Windows error events.' > > Can I configure OSSEC agent to eliminate rule 18154? > > ____________________________________________ > Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty > Insurance Corporation > 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 > 1.888.601.4440 | * [email protected] > > This message is intended for use only by the person(s) addressed above and > may contain privileged and confidential information. Disclosure or use of > this message by any other person is strictly prohibited. If this message is > received in error, please notify the sender immediately and delete this > message.
