Hi Sean, if you want to filter by agent name, taking into account that the key is at the begin of the name, you could simply use this pattern:
<*agent_config* *name*=”^m1”> <!-- Settings for production servers --> </*agent*> <*agent_config* *name*=”^g1”> <!-- Settings for development servers --> </*agent*> <*agent_config* *name*=”^t5”> <!-- Settings for QA servers --> </*agent*> The *name* option filters by agent name. If you want to use profiles instead of agent names, you may use <*agent_config* *profile*=”"> in the *agent.conf* and set the agents' profile in their *ossec.con*f: <*client*> <*server-ip*>192.168.1.100</*server-ip*> <*config-profile*>production</*config-profile*> <*protocol*>udp</*protocol*> <*notify_time*>300</*notify_time*> <*time-reconnect*>900</*time-reconnect*> </*client*> Hope it help. Best regards. On Mon, Oct 9, 2017 at 10:13 AM, Sean Roe <sean...@gmail.com> wrote: > I did some more research, found that <agent_config profile=”"> might do > what I need, but how do I define which machines use which profile? Do I > define a block of servers in some profile block? Im still looking at the > documentation but Im not finding much info on it. > > Thanks, > Sean > > > On Monday, October 9, 2017 at 9:55:50 AM UTC-7, Sean Roe wrote: >> >> Hi All, >> >> I have been looking for documentation on how to break up out ignores >> based on server name: >> >> example: >> >> our prod servers all start with m1xxxxx.blah.blah >> our dev servers all start with g1xxxxx.blah.blah >> our QA servers all start with t5xxxxx.blah.blah >> >> (dont ask me, I didnt come up with the names). >> >> So for m1 servers we would like to have one set of ignores/excludes >> for g1 a different set, and for t5 pretty much dont care what gets >> changed as it changes all the time. >> >> Is there a way to do this and can somebody point me to the right docs? >> btw we are using the wazuh install. >> >> Thanks, >> Sean >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Victor M. Fernandez-Castro IT Security Engineer Wazuh Inc. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.