Hey, You can use the <hostname> option in the rules to filter based on the agent name, ip or log file location.
Example: <hostname>/var/log/messages</hostname> or <hostname>agentX|agentY|agentZ</hostname> Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Thu, Oct 15, 2009 at 8:14 PM, xen <xfire...@gmail.com> wrote: > > I am trying to find out how to parse out the location of an alert for > use in a rule. In the ossec logs alerts.log file, there is the field > that shows that information. I am trying to read that to process that > location in an active response. Does anyone know who? > > X >