I tried that and no luck.
Example in my local_rules.xml
<rule id="100400" level="6">
<srcip>2.2.2.2</srcip>
<if_sid>18101</if_sid>
<description>Windows informational event from SRV1.</description>
</rule>
tried replacing srcip with hostname and no change.
-Derek
>
> Hi Derek,
>
> Have you looked into using the <hostname> or <srcip> tags in your
> rules?
>
>
> Cheers,
> Michael
>
> On Jul 29, 1:38 pm, "Derek J. Morris" <[email protected]>
> wrote:
>> Has anyone made or knows how to make an alert say Informational from windows
>> system event log (level 5) but if it comes from a specific server (say: SRV1)
>> make it change its alert number higher than the level 5 it normally gets say
>> 8.
>>
>> Want to basically know ever event from some servers and just the higher level
>> ones from other servers, some servers are very critical and some not.
>>
>> -Derek Morris
>
