Tks, Victor. I ended up doing something like it: <hostname>host1|host2|host3</hostname>
but using the hostname from /etc/hostname of the servers running the agent. Cheers, Tom On Friday, June 2, 2017 at 3:43:23 PM UTC, Victor Fernandez wrote: > > Hi Tom, > > there is a rule option, <hostname>, that should work for you. > > Alerts start this way: > > ** Alert 1488922301.778562: mail - ossec,syscheck,pci_dss_11.5, > 2017 Mar 07 13:31:41 (myagent) 192.168.66.1->syscheck > > > The text in red is the agent hostname, it has form "(name) IP". Another > instance may be "(myagent) any", when the agent was registered using > IP="any". > > So if you want to create a rule that only applies to an agent called > "myagent" you may use a rule such this one: > > <*rule* id="100001" level="3"> > > <*hostname*>^(myagent)</*hostname*> > > </*rule*> > > > Hope it help. > > Best regards, > Victor. > > On Friday, June 2, 2017 at 4:40:29 PM UTC+2, Tom Lobato wrote: >> >> Is it possible specify in which agents you want certain rule enabled? >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.