Strange. I haven't seen these alerts myself, so excuse any silly
questions. Is the offending username included in the alert?
Any complaints in the logs about this rule?
Try running the various ossec daemons with the "-d" flag. This puts
them in a debug mode.
Maybe try something like this:
Yes I did have thearound the rule which I have now
removed. I also removed the hostname field, restarted the OSSEC
server but still get the mails. Any other ideas?
On Apr 21, 9:30 pm, "dan (ddp)" wrote:
> Do you have the around the rule? If so, the rule is commented
> out.
> This one is
Do you have the around the rule? If so, the rule is commented out.
This one is a tough one to test due to 18152's structure. I'd consider
taking out the hostname field to start with, maybe see if that helps.
On Wed, Apr 21, 2010 at 1:56 PM, fusspils wrote:
> Thanks for your reply Dan,
>
> I have
Thanks for your reply Dan,
I have just tried what you suggested but still get the mails. I
restarted the OSSEC server with the same results. The rule now
reads..
On Apr 21, 2:06 pm, "dan (ddp)" wrote:
> Have you tried adding 18152?
>
>
>
> On Wed, Apr 21, 2010 at 8:11 AM, fusspils wro
Have you tried adding 18152?
On Wed, Apr 21, 2010 at 8:11 AM, fusspils wrote:
> I have added the following to my local_rules.xml but I continue to get
> the alerts emailed, am I missing something else?
>
>
> BDC|PDC
> 10
> LTDPM1$
> Ignoring DPM Backup User
>
>
>
> On Apr 19, 3:38 pm,
I have added the following to my local_rules.xml but I continue to get
the alerts emailed, am I missing something else?
BDC|PDC
10
LTDPM1$
Ignoring DPM Backup User
On Apr 19, 3:38 pm, fusspils wrote:
> Hi,
>
> I am constantly getting the Rule: 18152 fired (level 10) -> "Multipl
