Hi Derek, The <srcip> looks for the decoded source ip address in the event. If you need to match on the agent name (or agent ip or even log location) you need to use the <hostname> tag.
For example: <hostname>agent1</hostname> or <hostname>/var/log/messages</hostname> Note that these only apply to events coming from remote agents. For local log files, the hostname is always the syslog hostname. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Thu, Jul 30, 2009 at 2:42 PM, Michael Altfield<michael...@gmail.com> wrote: > I haven't played with srcip, but I know I've gotten the <hostname> correct. > Try: > > <rule id="100400" level="6"> > <if_sid>18101</if_sid> > <hostname>your-servers-hostname</hostname> > <description>Windows informational event from SRV1.</description> > </rule> > > Just a guess, but did you try both the short hostname and the FQDN? > > > -Michael > > On Thu, Jul 30, 2009 at 8:34 AM, Derek J. Morris <dmor...@digitalmorris.com> > wrote: >> >> I tried that and no luck. >> >> >> Example in my local_rules.xml >> >> <rule id="100400" level="6"> >> <srcip>2.2.2.2</srcip> >> <if_sid>18101</if_sid> >> <description>Windows informational event from SRV1.</description> >> </rule> >> >> tried replacing srcip with hostname and no change. >> >> -Derek >> >> > >> > Hi Derek, >> > >> > Have you looked into using the <hostname> or <srcip> tags in your >> > rules? >> > >> > >> > Cheers, >> > Michael >> > >> > On Jul 29, 1:38 pm, "Derek J. Morris" <dmor...@digitalmorris.com> >> > wrote: >> >> Has anyone made or knows how to make an alert say Informational from >> >> windows >> >> system event log (level 5) but if it comes from a specific server (say: >> >> SRV1) >> >> make it change its alert number higher than the level 5 it normally >> >> gets say >> >> 8. >> >> >> >> Want to basically know ever event from some servers and just the higher >> >> level >> >> ones from other servers, some servers are very critical and some not. >> >> >> >> -Derek Morris >> > >> > >
