Parsing the files for identifiers I noticed a possible error on one of
them.
I'm not quite confident with OSSEC internals yet, but hasn't the
identifier to be unique ?
<rule id="2831" level="0">
<if_sid>2830</if_sid>
<match>^unable to exec</match>
<description>Wrong crond configuration</description>
</rule>
<rule id="2831" level="5">
<if_sid>2830</if_sid>
<match>BEGIN EDIT</match>
<description>Crontab opened for editing.</description>
</rule>
I guess it's not intended to have both of those events show up with
the same ID.
Greetings,
Dominique
