On Fri, Aug 26, 2016 at 9:39 AM, Derek Day <[email protected]> wrote: > I have hopefully an easily answered question regarding modifying some of the > rules.xml files that come with ossec. I guess my question centers around, > what is the best practice for doing something like that? i want to give > certain windows eveint ID's higher levels and lower certain other ones. > should i just modify the msauth_rules.xml files as required or is there a > different best practice? >
Usually what we recommend is to add the rules with your changes to local_rules.xml and add the overwrite option. > Thanks > > Derek > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
