Hi Serge, You definitely can. In the rule, try the following:
<rule id="100102" level="0"> <if_sid>1002</if_sid> <hostname>/var/log/messages</hostname> <description>ignoring from /var/log/messages</hostname> </rule> In this example, it will ignore any alert from rule 1002 that came from /var/log/messages. Note that the "hostname" tag matches the agent name, agent ip and log file. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Thu, Mar 25, 2010 at 6:26 PM, Serge Dubrouski <[email protected]> wrote: > Hello - > > Is it possible to create a custom decoder that will match particular > logfile name? I'm trying to build a monitoring over our applications > that generate some log files that basically follow syslog format but > fire to many 1002 (Unknown problem somewhere) alerts in ossec. So I'd > like to filter them out from the regular syslog monitoring based on > their location of filename. > > Thanks. > > -- > Serge Dubrouski. > > To unsubscribe from this group, send email to > ossec-list+unsubscribegooglegroups.com or reply to this email with the words > "REMOVE ME" as the subject. >
