Hi Tom, there is a rule option, <hostname>, that should work for you.
Alerts start this way: ** Alert 1488922301.778562: mail - ossec,syscheck,pci_dss_11.5, 2017 Mar 07 13:31:41 (myagent) 192.168.66.1->syscheck The text in red is the agent hostname, it has form "(name) IP". Another instance may be "(myagent) any", when the agent was registered using IP="any". So if you want to create a rule that only applies to an agent called "myagent" you may use a rule such this one: <*rule* id="100001" level="3"> <*hostname*>^(myagent)</*hostname*> </*rule*> Hope it help. Best regards, Victor. On Friday, June 2, 2017 at 4:40:29 PM UTC+2, Tom Lobato wrote: > > Is it possible specify in which agents you want certain rule enabled? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.