[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ossec-list
Subject:    Re: [ossec-list] I need help to ignore a Host Login
From:       "dan (ddp)" <ddpbsd () gmail ! com>
Date:       2016-08-17 18:58:43
Message-ID: CAMyQvMpdXXx07aQtEG_L6a0OGHq73dOLo-uTCj3=NMBhyOL59w () mail ! gmail ! com
[Download RAW message or body]

On Wed, Aug 17, 2016 at 2:50 PM, Pedro dal toe <pedrodaltoe@gmail.com> wrote:
> We are making monitoring by the Zabbix where Zabbix logs in máquna SSH and
> checks whether the line "INFO: Connected to the server" in
> /var/ossec/logs/ossec.log file, but we are getting login alerts.
> I sought some ignores or white lists, but found nehhum, if someone can help
> me thank you.
> 

Without a log sample I can only provide a guess. Maybe something like
this in local_rules.xml:

<rule id="320000" level="0">
  <if_sid>SID_OF_ALERT_YOU_ARE_SEEING</if_sid>
  <srcip>IP_OF_ZABBIX</srcip>
  <description>Ignore zabbix</description>
</rule>

> --
> 
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscribe@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.


[prev in list] [next in list] [prev in thread] [next in thread]