On 2012.08.10 06:02, Michael Starks wrote:
On 08/07/2012 04:53 PM, Kat wrote:
Ok, here is a tricky one I can't figure out..
I have a simple rule with an ignore=7200 so it does not fire too much.
BUT, what if I only want to set the ignore PER HOST? In other words, if
it triggers on another host it should alert then set the ignore timer.
Yeah, I am not aware of a clean/simple way to do this..
Any ideas?
Maybe I am misunderstanding, but can't you use <hostname>?
The solution interests me too.
I think one of the (not ideal) solutions is to clone rules, and match by
different host (hostname or srcip) in every of them.
IgnasR
