Hello, I have a few questions. Is it true that:
1. If I want to exlude some servers (and administrators) from getting email alerts to specific rules (not levels), I have to overwrite these rules in local_rules.xml and use <hostname>!exluded_server_hostname</hostname>. 2. Main group in local_rules.xml is <group name="local,syslog,"> </group> If I add <group name="local,yum,"> </group> to the end of the file, I get xml errors and ossec-analysisd doesn't start. Does that mean that all overwritten rules must go to the first group? 3. <hostname> is extracted from a syslog event. <location> applies only to local files. Thank you IgnasR
