I don't understand why I keep getting responses for events labeled as "information" when I've told the filters to exclude them.
See the screenshots and notice I am telling the filter to show all events with event description "access protection rule violation detected and blocked" but to exclude one particular host and ignore all severity events that are labeled as "information" . Yet, i'm still getting emails for information events.
It would be helpful to see the log entries for when epo is evaluating the response. Follow KB52369 to locate the log-config.xml file and do not change the normal logging to debug, but instead add the following logger after the last logger in the file.
You don't need to restart services, just wait a few minutes for that to take affect. The next time you get a notification, post the orion log for that time frame for us to review.
Was my reply helpful? If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.