I've been trying and searching the manual and the forums, and I'm sure there's a simple solution, but I haven't been able to figure it out yet..
I have an agent machine sending log msgs to a server machine via ossec's 'secure' connection. Ossec reports alerts based on those (working great). The agent machine also remote-syslog's those messages to the server, which are received by syslogd and saved in /var/log/*.log on the server (because I want them saved for posterity). So now I get duplicate versions of every log-based alert, which is expected, since the log msgs come across the secure connection, and they also show up in the local log files, which ossec is also inspecting. But I don't want duplicate alerts. How can I tell ossec to not consider all log messages in the local log files that come from the agent, ie, that have agent_hostname as hostname? I've made various attempts to add elements to local_rules.xml, but no luck so far. -Eric
