On Mon, Apr 23, 2012 at 4:51 AM, ignasr <[email protected]> wrote: > > > On Friday, April 20, 2012 5:34:13 PM UTC+3, dan (ddpbsd) wrote: >> >> >> >> > 2. Main group in local_rules.xml is >> > <group name="local,syslog,"> >> > </group> >> > If I add >> > <group name="local,yum,"> >> > </group> >> > to the end of the file, I get xml errors and ossec-analysisd doesn't >> > start. >> > Does that mean that all overwritten rules must go to the first group? >> > >> >> You can add groups to individual rules. >> >> <rule blah> >> ... >> <group>yum,</group> >> </rule> >> >> Or you can create multiple files containing local rules. > > > Ok, then one more question about grouping. If I write: > > <group name="syslog,"> > <rule id="2933" level="1" overwrite="yes"> > <if_sid>2930,2931</if_sid> > <match>^Updated</match> > <group>yum,config_changed,</group> > <description>Yum package updated.</description> > </rule> > </group> > > is "yum,config_changed," added to the group list (end result: > syslog,yum,config_changed), or replaces it (end result: yum,config_changed)?
I don't know. I'd have to test it to find out. I can do that if you want.
