Good day everyone: Is there a way to modify rule 519 in ossec_rules.xml so that the description auto fills the agent name?
Current output of the rule: 2012 May 25 14:50:39 (agent_name_goes_here) agent_ip_goes_here- >rootcheck Rule: 519 (level 7) -> 'System Audit: Vulnerable web application found.' System Audit: Web vulnerability - Outdated WordPress installation. File: /fullpath_goes_here/wp-includes/version.php. Reference: http://sucuri.net/latest-versions . I would like it if the "System Audit: Web vulnerability" included the agent name. Here is why: I would love to be able to send a report of vulnerable applications by agent to the party responsible for managing the agent. If i do the following: grep 'Web vulnerability' /var/ossec/logs/alerts.log I only get the System Audit line which while it has the full path, it doesn't have the agent name. Can a rule include an agent name variable that will later be filled in when the alert is triggered? If yes, what does that look like? Thank you.
