Hello,
I am having an issue with writing a custom decoder and custom rule set.
Is there a way to tell OSSEC to parse my custom rules file before the
built-in one? I am assuming from these entries when running
ossec-logtest, that it successfully decodes, but then hits the default
syslog ruleset, therefor not getting to my custom one. I added my custom
one just after local_rules.xml Here are the logs. I sent some log
examples in a previous post.
**Phase 2: Completed decoding.
decoder: 'junipersslvpn'
**Phase 3: Completed filtering (rules).
Rule id: '2900'
Level: '0'
Description: 'Dpkg (Debian Package) log.'
I tried moving my custom rules.xml file above the syslog_rules.xml file
in the ossec.conf file, but I got an error on restart. Any advice would
be welcome. I would add it to the local_rules.xml file, but that file is
started to get rather bloated with entries.
I am still in the process of learning how OSSEC parses the logs, so
forgive me if this is something obvious.
-Reggie
