Stop alerting for specific agentless

27 views
Skip to first unread message

Carlos Islas

unread,
May 28, 2020, 2:46:40 PM5/28/20
to ossec-list
Hello good morning,

Somebody know if exist some option to stop alerting for a specific agentless host during OS linux updates? For example if i have 10 agentless host how can i stop the alerts for 5 of they?

For example something like that (i know that this doesnt work jeje):
<agentless>
  <type>ssh_integrity_check_linux</type>
  <email_notification>no</email_notification>
  <frequency>36000</frequency>
  <host>os...@172.17.1.77</host>
  <state>periodic</state>
  <arguments>/home/ossec</arguments>
</agentless>

Regards

José Manuel López del Río

unread,
Sep 8, 2020, 8:55:59 AM9/8/20
to ossec-list
Hello Sparks,
It might be possible to do this via OSSEC rules. You might be able to get the directories that the desired agents are monitoring and ignore the alerts coming from those specific devices using that directory as a condition.
The rule that by default is alerting those syscheck changes is the rule 550. Then, you could create a child rule of the latter to only silence the alerts when a specific directory is monitored. To silence a rule, you just need to give it level 0. Example:

<group name="ignoring_agentless">
<rule id="100005" level="0">
    <if_sid>550</if_sid>
    <regex>/agentless/directory\.*</regex>
    <description>Ignoring specific agentless directory.</description>
  </rule>
</group>

I hope this helps.

Regards,
Jose Manuel Lopez
Reply all
Reply to author
Forward
0 new messages