Rule or Decoder specific host/ip

[handea...@gmail.com]

Hi,

How to generate the rule or decoder specific host/ip. 

I'm try rule1 or decoder1 add "<location>ip_address</location>" but is not work.

[dan (ddp)]

Yeah, that won't work. Are you trying to match any log with that IP? That would be hard to do, not sure it's possible.

More information on what you're trying to accomplish might help.

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[handea...@gmail.com]

Thanks for answer, 

for example, rule1 only work host1, host2, host3 and rule2 only work host5, host6, host7

how can I do that?

for example2: maybe you now manage engine eventlog analyzer. It can do. Click to link step 3 (Select Host/Group)  https://www.manageengine.com/products/eventlog/help/alerts/create-alert-profile.html

[Bill Price]

There is a little document feature in OSSEC called lists.  It allows you to create a list of IPs for specific rules.  I use then a lot.

Here is the link to the OSSEC to lists

http://ossec-docs.readthedocs.io/en/latest/manual/rules-decoders/rule-lists.html

Bill