It should be easier to filter based on the agent name. Just use: <hostname>logger</hostname>
thanks, -- Daniel B. Cid http://dcid.me On Tue, Mar 6, 2012 at 3:29 PM, Mike Wisniewski <[email protected]> wrote: > Hi! > > I just started using OSSEC and starting to tailor the rules. In my > alerts file, I keep getting this message. > > ** Alert 1331045533.3270: - ossec,rootcheck, > 2012 Mar 06 08:52:13 logger->rootcheck > Rule: 516 (level 3) -> 'System Audit event.' > System Audit: CIS - Debian Linux 4.16 - Disable standard boot services > - MySQL server Enabled. File: /etc/init.d/mysql. Reference: > http://www.ossec.net/wiki/index.php/CIS_DebianLinux . > > The machine legitimately has a MySQL server on it, and I'd like to > ignore it for the machine. I have configured the following rule... > > <rule id="100516" level="0"> > <if_sid>516</if_sid> > <match>MySQL server Enabled.</match> > <description>Ignoring rule 516 - MySQL server</description> > </rule> > > I reran the checks and it didn't flag the MySQL server this time, > however, I believe this is a 'global' rule for all the machines OSSEC > is on. (I have a server and multiple agents). > > If I only want this rule to flag on the "logger" machine, can I do > something like this? > > <srcip>127.0.0.1</srcip> > > Logger's IP is 127.0.0.1. Since the logs show what I named the agent, > it makes me think that it won't work....but the documentation says > otherwise. > > > Thanks! > Mike
