Hi Issam,
regarding to the rule order, OSSEC checks a rule and its childs
recursively. Try to launch *ossec-logtest* with argument *-v*:
log: '2014 Dec 20 09:29:47 WinEvtLog: Microsoft-Windows-Sysmon/Operational:
INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY:
WIN-U93G48C7BOP:
On Wed, May 18, 2016 at 10:47 AM, Issam Aouad Tabet
wrote:
> Hey everyone,
>
> I am windering if anyone can help me with these two questions:
>
> 1. I am using ossec-logtest file to test my rules in order to match with
> some Windows logs. Does anyone know in which order
Hey everyone,
I am windering if anyone can help me with these two questions:
1. I am using ossec-logtest file to test my rules in order to match with
some Windows logs. Does anyone know in which order are the rules tested?
It seems it is not ID number order..
2. Here is the default predefined