Try: <hostname>Server19|server19|</hostname> <hostname>Server26|server26</hostname>
> <hostname>Server19/server19</hostname> > <hostname>Server26/server26</hostname> On Nov 5, 2008, at 7:20 AM, Kevin Reiter wrote: > > All, > > I've created a custom rule in local_rules.xml to not send literally > thousands of e-mail alerts when a connection to a specific machine > can't be made, and it's not working. I'm hoping someone here can > spot what I've done wrong and provide a correction. > > Here's the rule: > > <!-- Ignore the thousands (literally!) of alerts about "Dimension" --> > <rule id="103010" level="0"> > <if_sid>1003</if_sid> > <hostname>Server19/server19</hostname> > <hostname>Server26/server26</hostname> > <match>DIMENSION</match> > <options>no_email_alert</options> > <description>Failed connection to Dimension (every minute)</ > description> > </rule> > > > When I originally had only one <hostname>server</hostname> entry, > it was working fine. I'm guessing that even though OSSEC doesn't > complain if you have multiple entries, it doesn't honor it. I've > read the manual section: > > hostname Any hostname Any hostname (decoded as the syslog hostname). > > and it seems that only one hostname is allowed, since it doesn't > specify how to deliminate multiple entries. > > Should I just write another rule with the second servername? > > Thanks, > Kevin > > > This message may contain confidential or proprietary information > and is intended solely for the individual(s) to whom it is > addressed. If you are not a named addressee you should not > disseminate, distribute or copy this e-mail or act upon the > information contained herein. Please notify the sender immediately > by e-mail if you have received this e-mail by mistake and delete > this e-mail from your system. >
