You can do it now. Filter based on: rule_id group event_location
So your example should work.. Link: http://www.ossec.net/doc/manual/output/granular-email-output.html Thanks, On Wed, May 25, 2011 at 12:15 PM, Michael Starks <ossec-l...@michaelstarks.com> wrote: > On 05/24/2011 09:33 PM, treydock wrote: >> >> With those active response rules built in, would this be the preferred >> method for enabling alerts specifically for those rules? (for example >> in case the alert threshold is above Level 3) >> >> <email_alerts> >> <email_to>u...@example.com</email_to> >> <rule_id>601, 602, 603, 604, 605, 606</rule_id> >> </email_alerts> > > It would probably be easier to use the active_response group, like so: > > <email_alerts> > <email_to>u...@example.com</email_to> > <group>active_response</group> > </email_alerts> > >> Secondly, how far from the current stable release is that revision? > > Not sure. That all depends on Daniel and if/when he wants these for the next > release. I prepared them for inclusion but it's ultimately up to him what > goes in, how it looks and when the release will be. >