It's not possible from what I know. The hostname is picked up when parsing the log file, at least from what the online docs say. I was thinking outloud.:-p
-Reggie Martin Tartarelli wrote: > Reggie, > > 2009/2/23 Reggie Griffin <[email protected]>: > >> Martin, >> >> I see. In that case, it would be nice to insert a variable in the >> <hostname></hostname> tag. Then >> you could define groups of systems into one nice entry. >> >> > > =) Interesting.......How can i do that? > > >> -Reggie >> >> Martin Tartarelli wrote: >> >>> Reggie, >>> >>> 2009/2/20 Reggie Griffin <[email protected]>: >>> >>> >>>> Martin, >>>> >>>> I use the <hostname></hostname> parameter to accomplish this within my >>>> local_rules.xml file. >>>> Default location is /var/ossec/rules/local_rules.xml. >>>> >>>> Here is an example: >>>> >>>> <rule id="100019" level="0"> >>>> <if_sid>30112</if_sid> >>>> <hostname>server2</hostname> >>>> <description>Rule that ignores noisy errors from server2</description> >>>> </rule> >>>> >>>> <rule id="100020" level="3"> >>>> <if_sid>30112</if_sid> >>>> <hostname>server1</hostname> >>>> <description>Rule that limits the alert level for server1</description> >>>> </rule> >>>> >>>> If I am understanding you correctly. I believe you can have multiple >>>> <hostname></hostname> entries within the same rule id. >>>> >>>> -Reggie >>>> >>>> >>>> >>> Thank´s for your answer it´s a good idea, but the problem with that is >>> when you have more than 500 servers, It´s very dificult to create a >>> rule by host. In my case i like to discriminate server vs risk on >>> ossec with alert level. >>> >>> >>> >>>> Martin Tartarelli wrote: >>>> >>>> >>>>> Any idea? >>>>> >>>>> >>>>> ---------- Forwarded message ---------- >>>>> From: Martin Tartarelli <[email protected]> >>>>> Date: 2009/2/13 >>>>> Subject: OSSEC with one or more Instance >>>>> To: [email protected] >>>>> >>>>> >>>>> List, I need your helps... >>>>> >>>>> OSSEC has the ability to discriminate critical alerts using the Alert >>>>> Level. Now, what happens when I use a second critical factor in terms >>>>> of servers? >>>>> For example... >>>>> >>>>> Critical H >>>>> SRV-PROD1 >>>>> SRV-PROD2 >>>>> roule id="1852" with alert level="8" >>>>> >>>>> Critical M >>>>> SRV-DESA1 >>>>> SRV-DESA2 >>>>> roule id="1852" with alert level="7" >>>>> >>>>> Critical L >>>>> SRV-RECO1 >>>>> SRV-TEMP >>>>> roule id="1852" with alert level="5" >>>>> >>>>> >>>>> What if I want to take the spoils but with a warning alert level >>>>> different? (because a server is more critical than the other). >>>>> Can create multiple Instance on the same server? in practice, how can >>>>> one discriminate xml (with rules) for different servers? Can i do >>>>> that? (maybe with more instance on the ossec server) >>>>> >>>>> Thank´s >>>>> >>>>> -- >>>>> Martin Tartarelli >>>>> Linux User #476492 >>>>> -- >>>>> >>>>>
