I haven't played with srcip, but I know I've gotten the <hostname> correct.
Try:
<rule id="100400" level="6">
<if_sid>18101</if_sid>
<hostname>your-servers-hostname</hostname>
<description>Windows informational event from SRV1.</description>
</rule>
Just a guess, but did you try both the short hostname and the FQDN?
-Michael
On Thu, Jul 30, 2009 at 8:34 AM, Derek J. Morris
<[email protected]>wrote:
>
> I tried that and no luck.
>
>
> Example in my local_rules.xml
>
> <rule id="100400" level="6">
> <srcip>2.2.2.2</srcip>
> <if_sid>18101</if_sid>
> <description>Windows informational event from SRV1.</description>
> </rule>
>
> tried replacing srcip with hostname and no change.
>
> -Derek
>
> >
> > Hi Derek,
> >
> > Have you looked into using the <hostname> or <srcip> tags in your
> > rules?
> >
> >
> > Cheers,
> > Michael
> >
> > On Jul 29, 1:38 pm, "Derek J. Morris" <[email protected]>
> > wrote:
> >> Has anyone made or knows how to make an alert say Informational from
> windows
> >> system event log (level 5) but if it comes from a specific server (say:
> SRV1)
> >> make it change its alert number higher than the level 5 it normally gets
> say
> >> 8.
> >>
> >> Want to basically know ever event from some servers and just the higher
> level
> >> ones from other servers, some servers are very critical and some not.
> >>
> >> -Derek Morris
> >
>
>
