On Mon, Dec 12, 2011 at 9:30 PM, Chris Decker <[email protected]> wrote: > As the subject suggests, is there a way to override a particular > decoder in decoder.xml? I have a few tweaks I want to make and > obviously want to make sure that future upgrades to smoothly (so I > want to keep everything in local_decoder.xml). > > (Thanks in advance, Dan, for the response ;)) > > > Sent from my iPhone
Not really. You can eliminate the decoder.xml file and load only custom decoder files using <decoder> and <decoder_dir> in the <rules> section of the ossec.conf: http://devio.us/~ddp/ossec/docs/syntax/head_ossec_config.rules.html I think if you use <decoder> without specifying decoder.xml, then decoder.xml will not be used. I'll double check and update the docs though (I'm almost positive this is the case with <decoder_dir>).
