Reggie, 2009/2/23 Reggie Griffin <[email protected]>: > > Martin, > > I see. In that case, it would be nice to insert a variable in the > <hostname></hostname> tag. Then > you could define groups of systems into one nice entry. >
=) Interesting.......How can i do that? > -Reggie > > Martin Tartarelli wrote: >> Reggie, >> >> 2009/2/20 Reggie Griffin <[email protected]>: >> >>> Martin, >>> >>> I use the <hostname></hostname> parameter to accomplish this within my >>> local_rules.xml file. >>> Default location is /var/ossec/rules/local_rules.xml. >>> >>> Here is an example: >>> >>> <rule id="100019" level="0"> >>> <if_sid>30112</if_sid> >>> <hostname>server2</hostname> >>> <description>Rule that ignores noisy errors from server2</description> >>> </rule> >>> >>> <rule id="100020" level="3"> >>> <if_sid>30112</if_sid> >>> <hostname>server1</hostname> >>> <description>Rule that limits the alert level for server1</description> >>> </rule> >>> >>> If I am understanding you correctly. I believe you can have multiple >>> <hostname></hostname> entries within the same rule id. >>> >>> -Reggie >>> >>> >> >> Thank´s for your answer it´s a good idea, but the problem with that is >> when you have more than 500 servers, It´s very dificult to create a >> rule by host. In my case i like to discriminate server vs risk on >> ossec with alert level. >> >> >>> Martin Tartarelli wrote: >>> >>>> Any idea? >>>> >>>> >>>> ---------- Forwarded message ---------- >>>> From: Martin Tartarelli <[email protected]> >>>> Date: 2009/2/13 >>>> Subject: OSSEC with one or more Instance >>>> To: [email protected] >>>> >>>> >>>> List, I need your helps... >>>> >>>> OSSEC has the ability to discriminate critical alerts using the Alert >>>> Level. Now, what happens when I use a second critical factor in terms >>>> of servers? >>>> For example... >>>> >>>> Critical H >>>> SRV-PROD1 >>>> SRV-PROD2 >>>> roule id="1852" with alert level="8" >>>> >>>> Critical M >>>> SRV-DESA1 >>>> SRV-DESA2 >>>> roule id="1852" with alert level="7" >>>> >>>> Critical L >>>> SRV-RECO1 >>>> SRV-TEMP >>>> roule id="1852" with alert level="5" >>>> >>>> >>>> What if I want to take the spoils but with a warning alert level >>>> different? (because a server is more critical than the other). >>>> Can create multiple Instance on the same server? in practice, how can >>>> one discriminate xml (with rules) for different servers? Can i do >>>> that? (maybe with more instance on the ossec server) >>>> >>>> Thank´s >>>> >>>> -- >>>> Martin Tartarelli >>>> Linux User #476492 >>>> -- >>>>
