Thanks Peter and Daniel. Yeah I should probably reconfigure syslog
eventually. For now I'm also trying to increase my understanding how rules
get triggered. It looks like your suggestion works for me, to add an
element in addition to . My first try was the
following addition to local_rules.xml
Hi Eric,
If you use the tag as Peter said, it will work properly
(you can probably add 1 to
make sure it is inspected for every event). However, OSSEC will still
waste time processing this events, so it
might be a better idea to configure your syslog server to log every
remote syslog event from
Greetings Eric:
You should be able to update local_rules.xml and use the "
hostname" criteria.
Thank you.