> If you change them to 0 you may break some other rules that depend
> on them (since 0 means ignore it). My suggestion is to change them to
> 1 or 2. However, the best way is to go to /var/ossec/etc/ossec.conf and
> modify the value of "log_alert_level" to something higher (like 4 or 5).
> By default it is set to 1, which means log everything..
I'm confused.
in the web-rules.xml file
the first rule is
<rule id="31100" level="0">
<decoded_as>web-accesslog</decoded_as>
<category>web-log</category>
<description>Access log messages grouped.</description>
</rule>
I from this inferred that level 0 is ignored for allerts but is
still matched against the incoming log.
Bob Thorson
UNLV/NSCEE
