On Sep 28, 2017 3:14 PM, "Kris Springer" <[email protected]> wrote:
http://ossec-docs.readthedocs.io/en/latest/syntax/head_ ossec_config.alerts.html So if I understand this correctly, based on the default 'alert levels' defined in the ossec.conf file on the Ossec server, I just need to edit individual rule levels in the xml rule files located in /var/ossec/rules/ on my Ossec server, and there's currently only 3 levels that matter. 0 = no alert 1 = display the logs 7 = trigger an email These are the defaults, but you can change them. There are settings in the ossec server's ossec.conf for these (maybe no 0 though). Changing the rules files directly can be disasterous during an upgrade. The files are overwritten, and your changes will be lost. It's best to use the overwrite option in copies of the rules in local_rules.xml. As long as my desired rule definitions are already listed in the rule files located on the Ossec server, I don't need to do anything custom on the agents (clients)? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
