Can someone please explain what does if_sid mean exactly. Does it mean if rule matches ID=500 do the following?
Just a bit confused how rules are triggered.
<rule id="501" level="3">
<if_sid>500</if_sid>
<if_fts />
<options>alert_by_email</options>
<match>Agent started</match>
<description>New ossec agent connected.</description>
</rule>
--
Best Regards,
Aamir Niazi
Senior Security Analyst
