What I have done is write specific rules for different source IP addesses (srcip)
On Monday, March 30, 2015 at 10:38:49 AM UTC-4, [email protected] wrote: > > Hi all, I'm relatively new to Ossec and I believe I understand process of > writing custom rules. One of the issues I'm running into is wanting to > write custom rules but only for specific agents. I currently have one > Ossec server with roughly twenty or so agents. Some of these agents are > kicking off alerts that I want to ignore but only on those agents > specifically, I do not want to ignore them on all agents. I've seen posts > that talk about using srcip or hostname but these seem to pull the > information from the host's logs and not from the agent itself. This seems > like it would be a fundamental requirement of using the centralized system, > however, I can't find the answer anywhere. Please help me figure this out. > Thanks. > > - Patrick > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
