Hi all, I'm relatively new to Ossec and I believe I understand process of writing custom rules. One of the issues I'm running into is wanting to write custom rules but only for specific agents. I currently have one Ossec server with roughly twenty or so agents. Some of these agents are kicking off alerts that I want to ignore but only on those agents specifically, I do not want to ignore them on all agents. I've seen posts that talk about using srcip or hostname but these seem to pull the information from the host's logs and not from the agent itself. This seems like it would be a fundamental requirement of using the centralized system, however, I can't find the answer anywhere. Please help me figure this out. Thanks.
- Patrick -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
