I'm trying to reduce the number of emails I'm getting from OSSEC. Towards
that end, I have RTFM. The Wiki says:
"However if you just want to make it all go away you could use the overwrite
option and add a local version of the rule to your local_rules.xml
<rule id="1002" level="2" overwrite="yes">
<match>$BAD_WORDS</match>
<options>no_email_alert</options>
<description>Unknown problem somewhere in the system.</description>
</rule>
Well, no, you can't. If you put this in local_rules, you get this:
Starting OSSEC: 2009/03/13 13:46:14 ossec-analysisd(1227): ERROR: Error
applying XML variables '/rules/local_rules.xml': XML_ERR: Unknown variable:
BAD_WORDS.
2009/03/13 13:46:14 ossec-analysisd(1220): ERROR: Error loading the rules:
'local_rules.xml'.
[FAILED]
What would be the correct method of doing this? I obviously don't want to
duplicate the variable in local_rules.
--
Tim Boyer
Chief Technology Officer
Denman Tire Corporation
(330) 675-4249
