This is more of question for my understanding...
In the examples section of CIM Add-on manual (for OSSEC) there is a statement that the Intrusion Detection data model requires the tags ids, attack, and host
If you look at the intrusion detection data model, the constraint is ids_type="host"
So host is not really a tag, but it is treated as such with regards to the data model?
thanks
tmkunte -- thanks for pointing this out. That is a docs bug. We should only be referring to ids and attack as tags. The additional constraint for a host intrusion detection is the presence of that ids_type field with a value of host, as you point out. We'll get it fixed!