[ossec-list] Re: "Excessive number of events" - where is this?

["evilghost@xxxxxxxxxxxxxx" <evilghost@xxxxxxxxxxxxxx>]

Set "<stats>0</stats>" in your ossec.conf


<ossec_config>
  <global>
    <email_notification>yes</email_notification>
    <email_to>me@xxxxxxxxxxxx</email_to>
    <smtp_server>smtp.mydomain.com</smtp_server>
    <email_from>ossecm@xxxxxxxxxxxx</email_from>
    <stats>0</stats>
  </global>


Kevin Reiter wrote:
> All,
>
> I keep getting notified of this every hour from my Windows XP SP2 boxen:
>
> OSSEC HIDS Notification.
> 2007 Aug 08 15:34:59
>
> Received From: (hostname) {IP}->WinEvtLog
> Rule: 11 fired (level 8) -> "Excessive number of events (above normal)."
> Portion of the log(s):
>
> The average number of logs between 15:00 and 16:00 is 30. We reached 281.
>
>
> I grepped all the rules and every other file(s) I could think of, but I can't find this rule anywhere.  I'd like to disable it completely, since it's getting to be so annyoing I've been asked to shut down the server altogether due to the excessive amount of e-mails being generated by it.  Can anyone tell me where this is located, and/or how to disable it?
>
> Thanks,
>
>
> Kevin Reiter
> Senior Security Engineer
> Financial Services, Inc.
> 21 Harristown Road
> Glen Rock, New Jersey 07452
> (201)652-6000, ext. 588
> PGP ID: 0xEE665233
>
> This message may contain confidential or proprietary information and is intended solely for the individual(s) to whom it is addressed.  If you are not a named addressee you should not disseminate, distribute or copy this e-mail or act upon the information contained herein.  Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
>