The only problem with that is creating hundreds of new rules. Also, I had posted about this a month or two ago - the child rules fire with ossec-logtest, but restarting the server v- they don't fire under the actual manager - only under log test - which of course makes no sense at all. Still trying to troubleshoot how something can work with log test and NOT with the manager - even on the same system.
~J On Thursday, February 6, 2014 5:07:35 AM UTC-8, dan (ddpbsd) wrote: > > On Tue, Feb 4, 2014 at 4:40 PM, Janelle <[email protected]<javascript:>> > wrote: > > Here is an interesting situation -- > > > > One OSSEC Manager with say 1000 agents. > > > > 200 of those agents are located in a private DMZ, the remaining 800 > behind > > that zone. I created a CDB of the 200 hosts, and was wondering, could > there > > be a way to apply some txt to a group of rules -- for example > > <group>access_denied,</group> - so that anything from that particular > group > > - IF it also showed up in the CDB could add something like (Rule > triggered > > in DMZ) or something like that? > > > > Any ideas?? > > > > Create child rules containing the group you want. > > > ~J > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
