Hi Peter, The <event_location> looks into the alert location header:
** Alert 1213714333.7351: - syslog,errors, 2008 Jun 17 11:52:13 (esqueleto2) 192.168.2.99->/var/log/messages Which in this example would be: "(esqueleto2) 192.168.2.99->/var/log/messages" So, if you want to match on one specific agent, you can do: <event_location>(esqueleto2) 192.168.2.99-</event_location> Or only use the agent name: <event_location>(esqueleto2)</event_location> Hope it helps. -- Daniel B. Cid dcid @ ossec.net On Mon, Jun 16, 2008 at 12:45 PM, Peter M. Abraham <[EMAIL PROTECTED]> wrote: > > Greetings: > > I'm using > > <email_alerts> > <email_to>client_email</email_to> > <event_location>209.173.x.x|209.173.x.y|etc</event_location> > <do_not_delay /> > </email_alerts> > > For granular email... > > Today I just ran into where the IP is not matched "as is" but .5 and . > 54 (for example) both match even though .5 was the one specified. > > How do I have alerts for specific agents go to a specific email? > > Thank you. >
