On Aug 31, 2013 1:01 PM, "Tim Boyer" <[email protected]> wrote: > > Running 2.6.15 on a RHEL5 server, and the do_not_group is not working the way I expect. I assume that that is a problem with my expectations, but just in case... >
The email you provided only includes 1 alert, not a group of alerts. The alert happens to include multiple log messages, but it is still just 1 alert. > ossec.conf looks like so: > > <email_alerts> > <email_to>WINDOWS</email_to> > <level>5</level> > <event_location>192.168.42|192.168.43|192.168.44|192.168.45|192.168.46|192.168.52|192.168.53|192.168.21|192.168.19|192.168.17|192.168.17|192.168.18.40|172.25.17.40|</event_location> > <do_not_group /> > </email_alerts> > > but 'Multiple Windows error events' continues to group messages, like so: > > Received From: (REMOTEDEV03) 192.168.53.52->WinEvtLog > Rule: 18154 fired (level 10) -> "Multiple Windows error events." > Portion of the log(s): > > WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no domain: REMOTEDEV03.dev.timboyer.org: The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: %%1058 > WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no domain: REMOTEDEV03.dev.timboyer.org: The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: %%1058 > WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no domain: REMOTEDEV03.dev.timboyer.org: The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: %%1058 > WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no domain: REMOTEDEV03.dev.timboyer.org: The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: %%1058 > WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no domain: REMOTEDEV03.dev.timboyer.org: The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: %%1058 > WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no domain: LOCALCON01.timboyer.org: The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: %%1058 > WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no domain: LOCALCON01.timboyer.org: The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: %%1058 > WinEvtLog: System: ERROR(1055): Microsoft-Windows-GroupPolicy: SYSTEM: NT AUTHORITY: REMOTECON01.timboyer.org: The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: a) Name Resolution failure on the current domain controller. b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller). > > > > I believe this is only happening with the 'Multiple Windows' alert. Is this a limitation in do_not_group, or is there something I'm doing wrong? > > Thanks, > > Tim > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
