Wazuh自定义规则

Wazuh会产生很多不必要的报警信息,通过Wazuh-manager端的/var/ossec/etc/rules/local_rules.xml可以增加一些规则来改变默认规则的行为,从而过滤不希望看到的告警。







	
		5700
		^Accepted|authenticated.$
		!sourcegraph|phabricator|jenkins
		sshd: authentication success.    local_rules.xml
		authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,
	
	
		5500
		session opened for user 
		!sourcegraph|phabricator|jenkins|ambari-qa
		PAM: Login session opened.    local_rules.xml
		authentication_success,pci_dss_10.2.5,gpg13_7.8,gpg13_7.9,gdpr_IV_32.2,
	
	
		5500
		session closed for user 
		!sourcegraph|phabricator|jenkins|ambari-qa
		PAM: Login session closed.    local_rules.xml
		pci_dss_10.2.5,gpg13_7.8,gpg13_7.9,gdpr_IV_32.2,
	

 

 

你可能感兴趣的:(Wazuh)