Martin, I see. In that case, it would be nice to insert a variable in the <hostname></hostname> tag. Then you could define groups of systems into one nice entry.
-Reggie Martin Tartarelli wrote: > Reggie, > > 2009/2/20 Reggie Griffin <[email protected]>: > >> Martin, >> >> I use the <hostname></hostname> parameter to accomplish this within my >> local_rules.xml file. >> Default location is /var/ossec/rules/local_rules.xml. >> >> Here is an example: >> >> <rule id="100019" level="0"> >> <if_sid>30112</if_sid> >> <hostname>server2</hostname> >> <description>Rule that ignores noisy errors from server2</description> >> </rule> >> >> <rule id="100020" level="3"> >> <if_sid>30112</if_sid> >> <hostname>server1</hostname> >> <description>Rule that limits the alert level for server1</description> >> </rule> >> >> If I am understanding you correctly. I believe you can have multiple >> <hostname></hostname> entries within the same rule id. >> >> -Reggie >> >> > > Thank´s for your answer it´s a good idea, but the problem with that is > when you have more than 500 servers, It´s very dificult to create a > rule by host. In my case i like to discriminate server vs risk on > ossec with alert level. > > >> Martin Tartarelli wrote: >> >>> Any idea? >>> >>> >>> ---------- Forwarded message ---------- >>> From: Martin Tartarelli <[email protected]> >>> Date: 2009/2/13 >>> Subject: OSSEC with one or more Instance >>> To: [email protected] >>> >>> >>> List, I need your helps... >>> >>> OSSEC has the ability to discriminate critical alerts using the Alert >>> Level. Now, what happens when I use a second critical factor in terms >>> of servers? >>> For example... >>> >>> Critical H >>> SRV-PROD1 >>> SRV-PROD2 >>> roule id="1852" with alert level="8" >>> >>> Critical M >>> SRV-DESA1 >>> SRV-DESA2 >>> roule id="1852" with alert level="7" >>> >>> Critical L >>> SRV-RECO1 >>> SRV-TEMP >>> roule id="1852" with alert level="5" >>> >>> >>> What if I want to take the spoils but with a warning alert level >>> different? (because a server is more critical than the other). >>> Can create multiple Instance on the same server? in practice, how can >>> one discriminate xml (with rules) for different servers? Can i do >>> that? (maybe with more instance on the ossec server) >>> >>> Thank´s >>> >>> -- >>> Martin Tartarelli >>> Linux User #476492 >>> -- >>> >>>
