Last time I checked the hostname format is "(agent name) agent IP->logfile" and is not determined by the decoded logs in the file.
That means although you can use hostname to match specific log files (e.g. "<hostname>/var/log/apache2/foobar.access.log</hostname>") you don't have to and can also use it to match the agent name or agent IP part of the entry (e.g. "<hostname>backend4</hostname>").
If you using hostname to filter apache logs based on the vhost, then I assume it is because your logs are vhost specific (something like www.something.tld.access.log).
On 3/30/2015 12:48 PM, [email protected] wrote:
Thanks for the reply. From what I can tell hostname is determined by the actual contents of the log entry. For instance, if I'm looking at an Apache log, then hostname comes across as the virtual host that the request was made on and not the name of the agent.On Monday, March 30, 2015 at 10:43:18 AM UTC-4, dan (ddpbsd) wrote: On Mon, Mar 30, 2015 at 10:37 AM, <[email protected] <javascript:>> wrote: > Hi all, I'm relatively new to Ossec and I believe I understand process of > writing custom rules. One of the issues I'm running into is wanting to > write custom rules but only for specific agents. I currently have one Ossec > server with roughly twenty or so agents. Some of these agents are kicking > off alerts that I want to ignore but only on those agents specifically, I do > not want to ignore them on all agents. I've seen posts that talk about > using srcip or hostname but these seem to pull the information from the > host's logs and not from the agent itself. This seems like it would be a > fundamental requirement of using the centralized system, however, I can't > find the answer anywhere. Please help me figure this out. Thanks. > Did you try using hostname? I haven't looked into this in a while, but that is the answer that comes to mind. > - Patrick > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > For more options, visit https://groups.google.com/d/optout <https://groups.google.com/d/optout>. -- ---You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]>.For more options, visit https://groups.google.com/d/optout.
----- You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
smime.p7s
Description: S/MIME Cryptographic Signature
