I don't know if there is a way to do this universally but I think you can always add a per rule change in the local_rules.xml file. Take the logon failure as an example:
Original Rule: <rule id="2501" level="5"> <match>FAILED LOGIN |authentication failure|</match> <match>Authentication failed for|invalid password for|</match> <match>LOGIN FAILURE|auth failure: |authentication error|</match> <match>authinternal failed|Failed to authorize|</match> <match>Wrong password given for|login failed|Auth: Login incorrect</match> <group>authentication_failed,</group> <description>User authentication failure.</description> </rule> Modified rule containing the host and higher level <rule id="2501" level="10"> <match>FAILED LOGIN |authentication failure|</match> <match>Authentication failed for|invalid password for|</match> <match>LOGIN FAILURE|auth failure: |authentication error|</match> <match>authinternal failed|Failed to authorize|</match> <match>Wrong password given for|login failed|Auth: Login incorrect</match> <hostname>some_host_here</hostname> <group>authentication_failed,</group> <description>User authentication failure.</description> </rule> I could be wrong about this as I've only been using OSSEC for 2 weeks now, but if I'm interpreting the manual correctly it should work. Jimi Derek J. Morris wrote: > I have a server that any activity in the logs, i want to be given a different > level than others. Is there a way I can call out that one server to be > recognized as a higher alert level. > > Example: > > If agent 002 has an audit or logon failure that is normally a level1, i want > ossec to bump it to a level 7...also a level 2 bumped up to a level 8 and so > on. > > - Derek Morris