Thanks for looking at this.
On Wed, Nov 6, 2013 at 6:30 AM, dan (ddp) <[email protected]> wrote: > On Tue, Nov 5, 2013 at 5:52 PM, funwithossec <[email protected]> wrote: > > Hello, > > Apologize for what is probably an easy question, but I have looked > > around and not found an answer so here goes. I am setting up granular > email > > alerting for detected changes to files on sets of hosts and would like > some > > help understanding if, or how, I can use regular expressions to define > > ranges of hosts where it would make sense t o do so. I am running ossec > > v2.7 on a CentOS v6 system as my server and an assorted bunch of CentOS > 4-6 > > systems as my agents. I have hosts with predictable names such as > > abc-prd-xxx-001, abc-prd-xxx-002 etc and I have a lot of hosts to set up > the > > alerting for. Relevant snippets of my rules are: > > > > <group name="syscheck"> > > > > <rule id="100500" level="12"> > > <if_matched_group>syscheck</if_matched_group> > > <match>/dir/subdir</match> > > <description>Changes to /dir/subdir/* - Critical file!</description> > > </rule> > > > > > > </group> <!-- SYSCHECK --> > > > > From my ossec.conf file: > > > > <email_alerts> > > <email_to>[email protected]</email_to> > > <rule_id>100500</rule_id> > > > > > <event_location>abc-prd-xxx-001|abc-prd-xxx-002|abc-prd-xxx-003|abc-prd-xxx-005|abc-prd-xxx-006|</event_location> > > <do_not_delay /> > > <do_not_group /> > > </email_alerts> > > > > The difference being that there are approx 75 hosts that would be > configured > > into the event_location field. The rule works and I do get emails sent > when > > a change is detected and I did try to use the regex syntax when defining > the > > event location field but it didn't work, example is: > > > > <event_location>abc-prd-xxx-00\d</event_location> > > or > > <event_location>abc-prd-xxx-0\d+</event_location> > > > > Any help would be...helpful :-) > > > > -Thanks > > > > > There's no real way to do this, you'll have to list them out. It > shouldn't take more than a few minutes to script the output though. > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
