Is it possible to trigger an active response on a rule with a severity level of 0?

[Rob Williams]

Essentially, I want to trigger an active response for a rule that I created that has a severity level of 0. I created this rule because I did not want to be alerted on the default rule and only wanted to be alerted based on the output from my active response. My question is if I have the severity level of 0, will it just be completely ignored without the active response even triggering? I ask because I'm having trouble setting it up properly and want to rule out if this is the cause. Thank you for your help in advance.

[dan (ddp)]

I think it will be ignored, but I've never tried it. You could try
bumping the level to 1 to see if that fixes the issue.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Jesus Linares]

Hi Rob,

I'm not sure, but you can increase the level to 1 and:

set the attribute noalert:

<rule id="?" level="1" noalert="1">

or use the options no_log:

<options>no_log</options>

Let me know if it works.

Regards.