Hi folks. I have a problem with rule overriding. I want to ignore the rules
for "CRON[11681]: (pam_unix) session closed for user root". I edited the
local_rules.xml like this:
<rule id="100002" level="0" noalert="1">
<if_sid>5501,5502</if_sid>
<match>CRON</match>
<description>CRON LOGINS</description>
</rule>
But I still get the alert. I tried with deleting the noalert directive and
no chance I always get the alert for CRON jobs.. What can I do with it?
(I included local_rules.xml in the ossec.conf).
I am using version 1.1. Is there any upgrade guide to version 1.2
