[ossec-list] Disable rule 1002 email ?

[Ken Wachtler]

OSSEC Users: How can I disable Rule 1002 from emailing it's level 2's alerts when the global email level is set to level 7 ?   I have attempted a "child" rule and an "overwrite" rule, which either did not stop emails, or disabled rule 1002 altogether ...      local_rules.xml:   <rule id="100041" level="2">     <if_sid>1002</if_sid>     <options>no_email_alert</options>   </rule>   <rule id="1002" level="2" overwrite="yes">     <match>$BAD_WORDS</match>     <options>no_email_alert</options>     <description>Unknown problem somewhere in the system.</description>   </rule> Note that emailing can be stopped by editing Rule 1002 directly ...      syslog_rules.xml:   <rule id="1002" level="2">     <match>$BAD_WORDS</match>     <!-- <options>alert_by_email</options> -->     <description>Unknown problem somewhere in the system.</description>   </rule> If you have been down this path, and found a good solution, please share it :-)   Thank You, KenW