Reggie, 2009/2/20 Reggie Griffin <[email protected]>: > > Martin, > > I use the <hostname></hostname> parameter to accomplish this within my > local_rules.xml file. > Default location is /var/ossec/rules/local_rules.xml. > > Here is an example: > > <rule id="100019" level="0"> > <if_sid>30112</if_sid> > <hostname>server2</hostname> > <description>Rule that ignores noisy errors from server2</description> > </rule> > > <rule id="100020" level="3"> > <if_sid>30112</if_sid> > <hostname>server1</hostname> > <description>Rule that limits the alert level for server1</description> > </rule> > > If I am understanding you correctly. I believe you can have multiple > <hostname></hostname> entries within the same rule id. > > -Reggie >
Thank´s for your answer it´s a good idea, but the problem with that is when you have more than 500 servers, It´s very dificult to create a rule by host. In my case i like to discriminate server vs risk on ossec with alert level. > > Martin Tartarelli wrote: >> Any idea? >> >> >> ---------- Forwarded message ---------- >> From: Martin Tartarelli <[email protected]> >> Date: 2009/2/13 >> Subject: OSSEC with one or more Instance >> To: [email protected] >> >> >> List, I need your helps... >> >> OSSEC has the ability to discriminate critical alerts using the Alert >> Level. Now, what happens when I use a second critical factor in terms >> of servers? >> For example... >> >> Critical H >> SRV-PROD1 >> SRV-PROD2 >> roule id="1852" with alert level="8" >> >> Critical M >> SRV-DESA1 >> SRV-DESA2 >> roule id="1852" with alert level="7" >> >> Critical L >> SRV-RECO1 >> SRV-TEMP >> roule id="1852" with alert level="5" >> >> >> What if I want to take the spoils but with a warning alert level >> different? (because a server is more critical than the other). >> Can create multiple Instance on the same server? in practice, how can >> one discriminate xml (with rules) for different servers? Can i do >> that? (maybe with more instance on the ossec server) >> >> Thank´s >> >> -- >> Martin Tartarelli >> Linux User #476492 >> -- >> >
