Hi Tim, Yes, this is a typo in the wiki. The variables are local to a specific file and can not be shared with the others. The easiest way is to just create a local rule for it:
<rule id="100002" level="2"> <if_sid>1002</if_sid> <description>Local rule to reduce the severity of 1002</description> </rule> Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Fri, Mar 13, 2009 at 2:47 PM, Tim Boyer <[email protected]> wrote: > > I'm trying to reduce the number of emails I'm getting from OSSEC. Towards > that end, I have RTFM. The Wiki says: > > "However if you just want to make it all go away you could use the overwrite > option and add a local version of the rule to your local_rules.xml > > <rule id="1002" level="2" overwrite="yes"> > <match>$BAD_WORDS</match> > <options>no_email_alert</options> > <description>Unknown problem somewhere in the system.</description> > </rule> > > Well, no, you can't. If you put this in local_rules, you get this: > > Starting OSSEC: 2009/03/13 13:46:14 ossec-analysisd(1227): ERROR: Error > applying XML variables '/rules/local_rules.xml': XML_ERR: Unknown variable: > BAD_WORDS. > 2009/03/13 13:46:14 ossec-analysisd(1220): ERROR: Error loading the rules: > 'local_rules.xml'. > [FAILED] > > What would be the correct method of doing this? I obviously don't want to > duplicate the variable in local_rules. > > -- > Tim Boyer > Chief Technology Officer > Denman Tire Corporation > (330) 675-4249 > > >
