On Friday, April 20, 2012 5:34:13 PM UTC+3, dan (ddpbsd) wrote:
>
>
>
> > 2. Main group in local_rules.xml is
> > <group name="local,syslog,">
> > </group>
> > If I add
> > <group name="local,yum,">
> > </group>
> > to the end of the file, I get xml errors and ossec-analysisd doesn't
> start.
> > Does that mean that all overwritten rules must go to the first group?
> >
>
> You can add groups to individual rules.
>
> <rule blah>
> ...
> <group>yum,</group>
> </rule>
>
> Or you can create multiple files containing local rules.
>
Ok, then one more question about grouping. If I write:
<group name="syslog,">
<rule id="2933" level="1" overwrite="yes">
<if_sid>2930,2931</if_sid>
<match>^Updated</match>
<group>yum,config_changed,</group>
<description>Yum package updated.</description>
</rule>
</group>
is "yum,config_changed," added to the group list (end result:
syslog,yum,config_changed), or replaces it (end result: yum,config_changed)?
