Hi Rocio, thanks for the reply. I created the file on the manager, included
your statements, and restarted however I am still seeing the error messages
that the manager is unable to open the directories:
2016/05/30 08:47:50 ossec-syscheckd: WARN: Error opening directory:
'%WINDIR%/system32':
Hi Luca.
You need to create a "child rule" that matches with 1003 for large
messages, and another rule for short messages. After that, you migh make a
rule that matches with the previous two. A good way to do it is using a
rule group. For example, if your decoder is called "oracle", you should