Hi Eric, If you use the <hostname> tag as Peter said, it will work properly (you can probably add <if_level>1</if_level> to make sure it is inspected for every event). However, OSSEC will still waste time processing this events, so it might be a better idea to configure your syslog server to log every remote syslog event from this host to a separate file that OSSEC is not monitoring.
Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On Sat, Nov 1, 2008 at 10:34 PM, Eric Wemhoff <[EMAIL PROTECTED]> wrote: > I've been trying and searching the manual and the forums, and I'm sure > there's a simple solution, but I haven't been able to figure it out yet.. > > I have an agent machine sending log msgs to a server machine via ossec's > 'secure' connection. Ossec reports alerts based on those (working great). > > The agent machine also remote-syslog's those messages to the server, which > are received by syslogd and saved in /var/log/*.log on the server (because I > want them saved for posterity). So now I get duplicate versions of every > log-based alert, which is expected, since the log msgs come across the > secure connection, and they also show up in the local log files, which ossec > is also inspecting. > > But I don't want duplicate alerts. How can I tell ossec to not consider all > log messages in the local log files that come from the agent, ie, that have > agent_hostname as hostname? I've made various attempts to add elements to > local_rules.xml, but no luck so far. > > -Eric > >
