I'm using the following syntax without issue:
<hostname>host1|host2|host3|host4</hostname>
Hope that helps,
Kevin Reiter wrote:
> All,
>
> I've created a custom rule in local_rules.xml to not send literally thousands
> of e-mail alerts when a connection to a specific machine can't be made, and
> it's not working. I'm hoping someone here can spot what I've done wrong and
> provide a correction.
>
> Here's the rule:
>
> <!-- Ignore the thousands (literally!) of alerts about "Dimension" -->
> <rule id="103010" level="0">
> <if_sid>1003</if_sid>
> <hostname>Server19/server19</hostname>
> <hostname>Server26/server26</hostname>
> <match>DIMENSION</match>
> <options>no_email_alert</options>
> <description>Failed connection to Dimension (every minute)</description>
> </rule>
>
>
> When I originally had only one <hostname>server</hostname> entry, it was
> working fine. I'm guessing that even though OSSEC doesn't complain if you
> have multiple entries, it doesn't honor it. I've read the manual section:
>
> hostname Any hostname Any hostname (decoded as the syslog hostname).
>
> and it seems that only one hostname is allowed, since it doesn't specify how
> to deliminate multiple entries.
>
> Should I just write another rule with the second servername?
>
> Thanks,
> Kevin
>
>
> This message may contain confidential or proprietary information and is
> intended solely for the individual(s) to whom it is addressed. If you are
> not a named addressee you should not disseminate, distribute or copy this
> e-mail or act upon the information contained herein. Please notify the
> sender immediately by e-mail if you have received this e-mail by mistake and
> delete this e-mail from your system.
>
--
Brad Lhotsky <[EMAIL PROTECTED]>
NCTS Computer Specialist -- 410.558.8006
.. WAR IS PEACE,
FREEDOM IS SLAVERY,
IGNORANCE IS STRENGTH ..
