Since you mentioned this - On Mon, Apr 16, 2012 at 11:59 AM, sklauminzer <[email protected]> wrote:
> This is happening with all syslog_rules.xml modifications, but > msauth_rules.xml mods *are* working. > > Is it possible that there is a copy of your syslog-rules.xml file that is triggering the rule 1002? If you grep "rule id=\"1002\"" /var/ossec/rules/*.xml do you have only one entry, as below? syslog_rules.xml: <rule id="1002" level="2">
