I don't know if there is a way to do this universally but I think you
can always add a per rule change in the local_rules.xml file. Take the
logon failure as an example:
Original Rule:
<rule id="2501" level="5">
<match>FAILED LOGIN |authentication failure|</match>
<match>Authentication failed for|invalid password for|</match>
<match>LOGIN FAILURE|auth failure: |authentication error|</match>
<match>authinternal failed|Failed to authorize|</match>
<match>Wrong password given for|login failed|Auth: Login
incorrect</match>
<group>authentication_failed,</group>
<description>User authentication failure.</description>
</rule>
Modified rule containing the host and higher level
<rule id="2501" level="10">
<match>FAILED LOGIN |authentication failure|</match>
<match>Authentication failed for|invalid password for|</match>
<match>LOGIN FAILURE|auth failure: |authentication error|</match>
<match>authinternal failed|Failed to authorize|</match>
<match>Wrong password given for|login failed|Auth: Login
incorrect</match>
<hostname>some_host_here</hostname>
<group>authentication_failed,</group>
<description>User authentication failure.</description>
</rule>
I could be wrong about this as I've only been using OSSEC for 2 weeks
now, but if I'm interpreting the manual correctly it should work.
Jimi
Derek J. Morris wrote:
> I have a server that any activity in the logs, i want to be given a different
> level than others. Is there a way I can call out that one server to be
> recognized as a higher alert level.
>
> Example:
>
> If agent 002 has an audit or logon failure that is normally a level1, i want
> ossec to bump it to a level 7...also a level 2 bumped up to a level 8 and so
> on.
>
> - Derek Morris
