Martin,
I use the <hostname></hostname> parameter to accomplish this within my
local_rules.xml file.
Default location is /var/ossec/rules/local_rules.xml.
Here is an example:
<rule id="100019" level="0">
<if_sid>30112</if_sid>
<hostname>server2</hostname>
<description>Rule that ignores noisy errors from server2</description>
</rule>
<rule id="100020" level="3">
<if_sid>30112</if_sid>
<hostname>server1</hostname>
<description>Rule that limits the alert level for server1</description>
</rule>
If I am understanding you correctly. I believe you can have multiple
<hostname></hostname> entries within the same rule id.
-Reggie
Martin Tartarelli wrote:
> Any idea?
>
>
> ---------- Forwarded message ----------
> From: Martin Tartarelli <[email protected]>
> Date: 2009/2/13
> Subject: OSSEC with one or more Instance
> To: [email protected]
>
>
> List, I need your helps...
>
> OSSEC has the ability to discriminate critical alerts using the Alert
> Level. Now, what happens when I use a second critical factor in terms
> of servers?
> For example...
>
> Critical H
> SRV-PROD1
> SRV-PROD2
> roule id="1852" with alert level="8"
>
> Critical M
> SRV-DESA1
> SRV-DESA2
> roule id="1852" with alert level="7"
>
> Critical L
> SRV-RECO1
> SRV-TEMP
> roule id="1852" with alert level="5"
>
>
> What if I want to take the spoils but with a warning alert level
> different? (because a server is more critical than the other).
> Can create multiple Instance on the same server? in practice, how can
> one discriminate xml (with rules) for different servers? Can i do
> that? (maybe with more instance on the ossec server)
>
> ThankĀ“s
>
> --
> Martin Tartarelli
> Linux User #476492
> --
>
