Actually, I found my answer (go figure) right after posting...doh http://groups.google.com/group/ossec-list/browse_thread/thread/86d708ca7f28b185/b63dfd63389f1824?lnk=gst&q=ignore+by+log#b63dfd63389f1824
Looks like <hostname> does the trick. On Jul 20, 4:37 pm, "dan (ddp)" <[email protected]> wrote: > Have you tried <location>? > > > > > > > > On Wed, Jul 20, 2011 at 6:57 PM, jplee3 <[email protected]> wrote: > > Hey all, > > > Sorry if this was covered elsewhere, but I was wondering if it's > > possible to setup chained rules (in this case, a rule to ignore) based > > on log names. > > > Essentially, I would want to ignore a Rule 1002 (level="0") *IF* the > > log source is /var/log/apache.log: > > > 2011 Jul 20 15:54:45 (server1) 10.1.4.125->/var/log/apache.log > > Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' > > Src IP: (none) > > User: (none) > > Error > > > Is this possible?
