Hello Stefano,
For your case it would be very helpful to share with us your *ossec.conf* (
*/var/ossec/etc/ossec.conf*) file in order to provide a clear answer,
However i will explain to you certain points :
The attribute level defined in your new rule is "0". In the other hand your
*ossec.conf* may contain in the alerts tag the following values :
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
If your log_alert_level is "0", it is a normal behavior to still have logs
generated.
Also if the email_alert_level is higher than "0" most likely the case,
emails won't be sent in that case you better rise the level of your rule to
match or to be higher than the value in the email_alert_level tag.
If none of these hypotheses is true, would you please share with me
privately your *alerts.json* (*/var/ossec/logs/alerts/alerts.json*), also
as mentioned above your *ossec.conf* for further investigation.
Make sure to restart your Wazuh Manager :
systemctl restart wazuh-manager
Hope this will help,
Best regards,
Wali.k
On Wednesday, September 19, 2018 at 5:43:00 PM UTC+2, Stefano Serano wrote:
>
> Hi.
> I added this custom rule on local rules:
>
> <rule id="800001" level="0">
> <if_sid>5710</if_sid>
> <description> ignore SSH</description>
> <description>failed logins</description>
> </rule>
>
> this stop send me mail alert, but i can still see log be generated on
> Kibana. What can i do?
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
