Hi dear community, i install and configure about 10 agents, and of course i have a lot of users,a part of this users are service-users
in policy-rules.xml i have next rules <group name="policy_violation,"> <rule id="17101" level="9"> <if_group>authentication_success</if_group> <time>4 pm - 7 am</time> <description>Successful login during non-business hours.</description> <group>login_time,</group> </rule> <rule id="17102" level="9"> <if_group>authentication_success</if_group> <weekday>weekends</weekday> <description>Successful login during weekend.</description> <group>login_day,</group> </rule> and ii add a rule to ignore user www-data <rule id="17103" level="0"> <if_sid>17101</if_sid> <user>www-data</user> <description>Ignore USERNAME</description> </rule> but is not working also i have a lot of users what begin with __cpanel__service__auth__ftpd********** some exaples: __cpanel__service__auth__ftpd__k0MtRO0qadKcn0W104TiJX_fIUt6NTesiDOXfXjQdao09FHQbymiy9OB4AenozyY __cpanel__service__auth__ftpd__iNQU40H8hsz0rrHIyB2CSrz47pJhIaWXEvo5Bn9oYK8Jfx0LzN4rK2DqxYfnn_sn __cpanel__service__auth__ftpd__GkNcCNIvBSTW1ZDvgUd8RmBex9y6AaZ8BXSZFyVe9mLogb7sBHzwDSbggie5zVaE and ossec mail me for this service-users that they successful login during non-business hours, i know that but i don't need that data in mail box how can i exclude all this service users for policy rules? i appreciate your help, and a lot of respect for developers and community! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.