On Thu, Oct 3, 2013 at 3:24 PM, Kaspars Līcis <[email protected]> wrote: > Is it possible runIs it possible run two rules on one event? > > Example: I have windows fileserver and need to create alarm if somebody > access specific file. > > I created rule in local_rules, but ossec default windows rule is activated > first and my rule is ignored. > I don't want to remove default ossec windows rule because I need it to alert > on other events (like access to server, new user created, etc)? >
If rule XXX is triggered instead of your rule YYY, use XXX as a building block for your rule. <rule id="YYY" level="11"> <if_sid>XXX</if_sid> <!-- This means "If XXX would be triggered by this event, check this rule (YYY) to see if it would trigger. If YYY is valid for this log event, trigger it instead of YYY --> <match>blahblahblah</match> .. </rule> > Example: I have windows fileserver and need to create alarm if somebody > access specific file. > > I created rule in local_rules, but ossec default windows rule is activated > first and my rule is ignored. > I don't want to remove default ossec windows rule because I need it to alert > on other events (like access to server, new user created, etc) > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
