I've been playing with rules this morning and stumbled across something that should help you out a bit better than my last reply. You might be able to use if_level to do this.
Maybe something like this would work: <rule id="100100" level="7"> <if_level>1</if_level> <hostname>host_name_here</hostname> <decription>Bumped up the level for this host</description> </rule> <rule id="100101" level="8"> <if_level>2</if_level> <hostname>host_name_here</hostname> <decription>Bumped up the level for this host</description> </rule> And so on... Derek J. Morris wrote: > I have a server that any activity in the logs, i want to be given a different > level than others. Is there a way I can call out that one server to be > recognized as a higher alert level. > > Example: > > If agent 002 has an audit or logon failure that is normally a level1, i want > ossec to bump it to a level 7...also a level 2 bumped up to a level 8 and so > on. > > - Derek Morris
