I am attempting to ignore an ossec rule for an alert that is triggered from a certain host. Rule 5401 exists in the syslog_rules.xml file:
<rule id="5401" level="10">
<if_sid>5400</if_sid>
<match>3 incorrect password attempts</match>
<description>Three failed attempts to run sudo</description>
</rule>
If this rule is triggered, a level 10 alert level is generated, along with an email
I want to add an exception to this rule in the local_rules.xml file, where if the hostname that sends the alert is ip-10-XX-XX-XX, no email alert will be generated. I have been able to create this rule in local_rules.xml:
<rule id="10040" level="0">
<if_sid>5401</if_sid>
<match>myUserName</match>
<description>List of rules to be ignored.</description>
</rule>
And when rule 5401 is triggered by myUserName, no alert is generated. According to ossec documentation, I should be able to replace the match argument with:
<hostname>ip-10-XX-XX-XX</hostname>
However this has been unsuccessful, and an email alert still generates when I trigger rule 5401
