Hi Tom,
there is a rule option, <hostname>, that should work for you.
Alerts start this way:
** Alert 1488922301.778562: mail - ossec,syscheck,pci_dss_11.5,
2017 Mar 07 13:31:41 (myagent) 192.168.66.1->syscheck
The text in red is the agent hostname, it has form "(name) IP". Another
instance may be "(myagent) any", when the agent was registered using
IP="any".
So if you want to create a rule that only applies to an agent called
"myagent" you may use a rule such this one:
<*rule* id="100001" level="3">
<*hostname*>^(myagent)</*hostname*>
</*rule*>
Hope it help.
Best regards,
Victor.
On Friday, June 2, 2017 at 4:40:29 PM UTC+2, Tom Lobato wrote:
>
> Is it possible specify in which agents you want certain rule enabled?
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
