That's perfect, exactly what I needed to know! Thank you! On Tuesday, July 11, 2017 at 3:58:37 AM UTC-4, Victor Fernandez wrote: > > Hi Robert, > > OSSEC should take these settings independently: > > - Configuration A will send alerts with level 8 or higher. > - Configuration B will send alerts with level 4 or higher (including > alerts sent by the former setting) belonging to these groups. > > So you'll receive duplicate alerts. One option would be to enter every > groups but the specified in the configuration B. > > Let me tell you that Wazuh agents include an improvement that allow to > negate expressions. So you may use a setting like this one:: > > <syslog_output> > <level>8</level> > <sever>192.168.0.5</server> > <group>!invalid_login|adduser|blah|andsoon</group> > </syslog_ouptut> > > <syslog_output> > <level>4</level> > <group>invalid_login|adduser|blah|andsoon</group> > <sever>192.168.0.5</server> > </syslog_ouptut> > > > Hence you'll have alerts with level 4 or higher (even 8 or more) belonging > to these groups, plus alerts with level 8 or higher of any other group. > > Hope it help. > Best regards. > > > On Mon, Jul 10, 2017 at 10:29 PM, Robert B <rlbe...@gmail.com > <javascript:>> wrote: > >> This was a little unclear to me after reading the documenation and >> searching around...pardon if it's been asked and answered, I simply have >> not found it. >> >> We have a single server we want to send syslog output to, however, we >> also want to have different levels for some alerts. Would it be as simple >> as two syslog_output sections, such as below, or would this create >> duplicate alerts, take the last syslog_output section, or can it be done in >> a single section? >> >> <syslog_output> >> <level>8</level> >> <sever>192.168.0.5</server> >> </syslog_ouptut> >> >> <syslog_output> >> <level>4</level> >> <group>invalid_login|adduser|blah|andsoon</group> >> <sever>192.168.0.5</server> >> </syslog_ouptut> >> >> >> Thanks! >> Bob >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > Victor M. Fernandez-Castro > IT Security Engineer > Wazuh Inc. >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
