Hi Steve, The <event_location> tags uses the "os_match" library[1] which does not support regular expressions (basically a string matching). In your case, if you want agents a.y.z and b.y.z, you can just do:
<event_location>.y.z</event_location> Since both with match on that string. You can also do: <event_location>a.y.z|a.x.z|abc|def</event_location> For multiple entries... 1- http://www.ossec.net/wiki/index.php/Know_How:Regex_Readme Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On Feb 14, 2008 3:31 PM, Steve McMaster <[EMAIL PROTECTED]> wrote: > > From reading the wiki, I see that I can do the following: > > <email_alerts> > <email_to>[EMAIL PROTECTED]</email_to> > <level>12</level> > <event_location>qwerty|agt1</event_location> > <do_not_delay /> > </email_alerts> > > Can I use wildcards in the <event_location> definition? For example: > > <email_alerts> > <email_to>[EMAIL PROTECTED]</email_to> > <level>12</level> > <event_location>*.y.z</event_location> > <do_not_delay /> > </email_alerts> > > And have that mail for agents with names such as a.y.z, b.y.z, etc? > > Thanks. >
