Sorry I can't answer #1 and #2, but for #3 Yes, the hostname is extracted from the syslog event.
On Fri, Apr 20, 2012 at 6:04 AM, ignasr <[email protected]> wrote: > Hello, > > I have a few questions. Is it true that: > > 1. If I want to exlude some servers (and administrators) from getting > email alerts to specific rules (not levels), I have to overwrite these > rules in local_rules.xml and use > <hostname>!exluded_server_hostname</hostname>. > > 2. Main group in local_rules.xml is > <group name="local,syslog,"> > </group> > If I add > <group name="local,yum,"> > </group> > to the end of the file, I get xml errors and ossec-analysisd doesn't > start. Does that mean that all overwritten rules must go to the first group? > > 3. <hostname> is extracted from a syslog event. <location> applies only to > local files. > > Thank you > IgnasR >
