Hello,
Apologize for what is probably an easy question, but I have looked
around and not found an answer so here goes. I am setting up granular
email alerting for detected changes to files on sets of hosts and would
like some help understanding if, or how, I can use regular expressions to
define ranges of hosts where it would make sense t o do so. I am running
ossec v2.7 on a CentOS v6 system as my server and an assorted bunch of
CentOS 4-6 systems as my agents. I have hosts with predictable names such
as abc-prd-xxx-001, abc-prd-xxx-002 etc and I have a lot of hosts to set up
the alerting for. Relevant snippets of my rules are:
<group name="syscheck">
<rule id="100500" level="12">
<if_matched_group>syscheck</if_matched_group>
<match>/dir/subdir</match>
<description>Changes to /dir/subdir/* - Critical file!</description>
</rule>
</group> <!-- SYSCHECK -->
>From my ossec.conf file:
<email_alerts>
<email_to>[email protected]</email_to>
<rule_id>100500</rule_id>
<event_location>abc-prd-xxx-001|abc-prd-xxx-002|abc-prd-xxx-003|abc-prd-xxx-005|abc-prd-xxx-006|</event_location>
<do_not_delay />
<do_not_group />
</email_alerts>
The difference being that there are approx 75 hosts that would be
configured into the event_location field. The rule works and I do get
emails sent when a change is detected and I did try to use the regex syntax
when defining the event location field but it didn't work, example is:
<event_location>abc-prd-xxx-00\d</event_location>
or
<event_location>abc-prd-xxx-0\d+</event_location>
Any help would be...helpful :-)
-Thanks
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
