Thanks for the reply. From what I can tell hostname is determined by the actual contents of the log entry. For instance, if I'm looking at an Apache log, then hostname comes across as the virtual host that the request was made on and not the name of the agent.
On Monday, March 30, 2015 at 10:43:18 AM UTC-4, dan (ddpbsd) wrote: > > On Mon, Mar 30, 2015 at 10:37 AM, <[email protected] > <javascript:>> wrote: > > Hi all, I'm relatively new to Ossec and I believe I understand process > of > > writing custom rules. One of the issues I'm running into is wanting to > > write custom rules but only for specific agents. I currently have one > Ossec > > server with roughly twenty or so agents. Some of these agents are > kicking > > off alerts that I want to ignore but only on those agents specifically, > I do > > not want to ignore them on all agents. I've seen posts that talk about > > using srcip or hostname but these seem to pull the information from the > > host's logs and not from the agent itself. This seems like it would be > a > > fundamental requirement of using the centralized system, however, I > can't > > find the answer anywhere. Please help me figure this out. Thanks. > > > > Did you try using hostname? I haven't looked into this in a while, but > that is the answer that comes to mind. > > > - Patrick > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
