Did someone reply to this and I'm just
not seeing it?
Michael
Barrett |
Information Security Analyst - Lead | Mortgage
Guaranty Insurance Corporation
270 E. Kilbourn Ave. | Milwaukee, WI
53202 USA |
(
1.414.347.6271
| 7
1.888.601.4440
| *
michael_bar
Hi Artien,
The rule should be in local_rules.xml (and don't forget to restart
OSSEC after placing it there).
Looks like the output of the command says "load average" (no 's'), but
the rule is trying to match "load averages" (with an 's').
Please try changing the rule to match the command output
Well the idea was to easily distinct specific messages quickly ...
For example there are many alerts of level 3 from different sources ,
etc , so the idea was not to give to a custom message a specific
alert.
But anyway I see your point . There are other ways after all to search
I guess .
Thank
Thank you Dan,
I don't know how I have missed that ...I must have bumped in every
page individually but not the central !
On Nov 17, 10:34 pm, "dan (ddp)" wrote:
> http://www.ossec.net/doc/syntax/index.html?
>
>
>
>
>
>
>
> On Tue, Nov 15, 2011 at 8:26 AM, alsdks wrote:
> > Hello ,
>
> > Is t
Yes, in my case 100103 is triggered and 31151 is "disabled", but 100102 is not
triggered after that anymore.
The problem that I see is, that I am trying to define all my customized rules
in local_rule.xml, so in case of an update I know which ones has been chanced
by myself.
In order to define
