Stop alerting for specific agentless

[Carlos Islas]

Hello good morning,

Somebody know if exist some option to stop alerting for a specific agentless host during OS linux updates? For example if i have 10 agentless host how can i stop the alerts for 5 of they?

For example something like that (i know that this doesnt work jeje):

<agentless>

  <type>ssh_integrity_check_linux</type>

  <email_notification>no</email_notification>

  <frequency>36000</frequency>

  <host>os...@172.17.1.77</host>

  <state>periodic</state>

  <arguments>/home/ossec</arguments>

</agentless>

Regards

[José Manuel López del Río]

Hello Sparks,

It might be possible to do this via OSSEC rules. You might be able to get the directories that the desired agents are monitoring and ignore the alerts coming from those specific devices using that directory as a condition.

The rule that by default is alerting those syscheck changes is the rule 550. Then, you could create a child rule of the latter to only silence the alerts when a specific directory is monitored. To silence a rule, you just need to give it level 0. Example:

<group name="ignoring_agentless">

<rule id="100005" level="0">

    <if_sid>550</if_sid>

    <regex>/agentless/directory\.*</regex>

    <description>Ignoring specific agentless directory.</description>

  </rule>

</group>

I hope this helps.

Regards,

Jose Manuel Lopez