Hi Derek I have the same issue with event 4771
Could you send me your custom rules?
Ragards
Gustavo
Em segunda-feira, 23 de fevereiro de 2015 17:28:39 UTC-3, Stephen Carr
escreveu:
>
> Hey there all, I’m wading into the realm of Domain Controller security
> logs and what is possible for filte
Thank you Pedro. I've actually taken a step back from this, and I'm trying
to figure out why the emails are getting sent in the first place. If the
default level is 7, and I haven't changed that:
yes
myem...@mydomain.com
my.smtp.server
os...@mydomain.com
127.0.0.1
yes
I would be interested in this as well! Thanks!
On Monday, February 23, 2015 at 2:28:39 PM UTC-6, Stephen Carr wrote:
>
> Hey there all, I’m wading into the realm of Domain Controller security
> logs and what is possible for filtering events to get a more fine-grained
> alerting setup based on ce
Ok, I think I know what's going on now. I do not have the latest stable
release of 2.8.3. I think I might have 2.8.2 or 2.8.1 or something.
I found this issue which resembled my issue because the logs have multiple
lines in powershell. https://github.com/ossec/ossec-hids/issues/224
Then I saw
+1
On Wednesday, November 25, 2015 at 9:32:09 AM UTC-5, Phillipa Moorea wrote:
>
> I would be interested in this as well! Thanks!
>
> On Monday, February 23, 2015 at 2:28:39 PM UTC-6, Stephen Carr wrote:
>>
>> Hey there all, I’m wading into the realm of Domain Controller security
>> logs and what
On the OSSEC server, open /var/ossec/rules/syslog_rules.xml. Search for rule
1002, right there towards the top. Note the options element, which contains
alert_by_email. That option tells OSSEC to ignore your email_alert_level and
just send an email every time this rule matches. As you have seen
On Wednesday, November 25, 2015 at 1:46:15 PM UTC-5, LostInThe Tubez wrote:
>
> On the OSSEC server, open /var/ossec/rules/syslog_rules.xml. Search for
> rule 1002, right there towards the top. Note the options element, which
> contains alert_by_email. That option tells OSSEC to ignore your
> em
Let's keep things simple for the purposes of troubleshooting. Verify a basic
rule works, then you can get as complex as you like. Try using this:
1002
Update peer failed with code 22
testing
Also, copy/paste the exact alert message when/if you get one. Be very careful
not to replace white s
I've pretty much already done that, and have had the same results. I've
tried it with 1002 and without, I've tried it with
or with . Each time, logtest catches it as a "will not alert", but
the emails still continue to come in.
On Wednesday, November 25, 2015 at 3:00:57 PM UTC-5, LostInThe T
There is a syslog output option that you can configure on the manager.
http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.syslog_output.html
Santiago Bassett
@santiagobassett
> On Nov 23, 2015, at 9:06 AM, Stephen LuShing wrote:
>
> I want to know if anyone know how to send t
10 matches
Mail list logo
