Hi Dave, When you use the "overwrite" option you should do that on the local_rules.xml, not on the rule file itself. So whenever you upgrade your rules will remain intact.
As far as when to use which, I go with the "overwrite" whenever I am doing a small change, like modifying the frequency, level, etc. But that's only a personal preference, since both work well... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Mon, Mar 8, 2010 at 8:33 AM, Dave S <[email protected]> wrote: > I get that when future upgrades will include new ossec_rules.xml > files. > > My question is, if we want to change the behavior of a rule, when > should we use the "overwrite" attribute and when should we create a > new child rule? >
