Tks, Victor.
I ended up doing something like it:
<hostname>host1|host2|host3</hostname>
but using the hostname from /etc/hostname of the servers running the agent.
Cheers,
Tom
On Friday, June 2, 2017 at 3:43:23 PM UTC, Victor Fernandez wrote:
>
> Hi Tom,
>
> there is a rule option, <hostname>, that should work for you.
>
> Alerts start this way:
>
> ** Alert 1488922301.778562: mail - ossec,syscheck,pci_dss_11.5,
> 2017 Mar 07 13:31:41 (myagent) 192.168.66.1->syscheck
>
>
> The text in red is the agent hostname, it has form "(name) IP". Another
> instance may be "(myagent) any", when the agent was registered using
> IP="any".
>
> So if you want to create a rule that only applies to an agent called
> "myagent" you may use a rule such this one:
>
> <*rule* id="100001" level="3">
>
> <*hostname*>^(myagent)</*hostname*>
>
> </*rule*>
>
>
> Hope it help.
>
> Best regards,
> Victor.
>
> On Friday, June 2, 2017 at 4:40:29 PM UTC+2, Tom Lobato wrote:
>>
>> Is it possible specify in which agents you want certain rule enabled?
>>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
