Modifying the default rules directly isn't encouraged. Your changes will be overwritten on an upgrade. You should add custom rules to /var/ossec/rules/local_rules.xml. You can create custom rules to look for new things the default rules don't cover, or to ignore rules that are already in place.
On Mon, Apr 30, 2012 at 2:42 PM, A-Dubbs <arlendelcasti...@gmail.com> wrote: > I'm looking for the rules file for adjusting what gets logged for > Microsoft Windows systems. Is msauth_rules.xml the correct file?