Hi;
My client's current ossec environment has 16 UNIX systems and 1 Windows
agent. Eventually, that's going to grow to about 25-30 UNIX agents and an
unknown but healthy number of Windows. They haven't asked for it yet; but,
I'm sure it's coming that the windows admins would like to receive syscheck
alerts for windows but not unix and vice versa.
I've seen the event_location tag for the email_alerts stanza. Can we use
regex in that tag? For instance, could I:
<email_alert>
<email_to>${real_addr_goes_here}</email_to>
<alert_location>\.*win\.*</alert_location>
</email_alert>
<email_alert>
<email_to>${nuther_real_addr}</email_to>
<alert_location>\.*uax\.*|nilrh\.*|urhsoa\.*</alert_location
</email_alert>
I'd like to avoid having to specify 30 individual hosts in one
alert_location tag. I suppose I could set up multiple stanzas w/different
hosts, but that could quickly become an administrative nightmare too.
Any info/hints/tips/suggestions greatly appreciated.
Doug O'Leary
