I don't understand why I keep getting responses for events labeled as "information" when I've told the filters to exclude them.
See the screenshots and notice I am telling the filter to show all events with event description "access protection rule violation detected and blocked" but to exclude one particular host and ignore all severity events that are labeled as "information" . Yet, i'm still getting emails for information events.
It would be helpful to see the log entries for when epo is evaluating the response. Follow KB52369 to locate the log-config.xml file and do not change the normal logging to debug, but instead add the following logger after the last logger in the file.
You don't need to restart services, just wait a few minutes for that to take affect. The next time you get a notification, post the orion log for that time frame for us to review.
Was my reply helpful? If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?