I'm struggling to understand how to write custom rules.
Unfortunately the "<group>" tag seems to be completely
undocumented, and the book doesn't explain it either:
Each rule, or grouping of rules, must be defined within a
<group></group> element. Your attribute name must contain the
rules you want to be part of this group.
...
<group name="syslog,sshd,">
<rule id="100120" level ="5"> ... </rule>
...
</group>
The "name" of the group is a comma separated list of rules that
are "part of the group"? What does that mean?
--
Specifically, I want to try out the example from the chapter
"Increasing the Alert Severity for Important Files":
<rule id="100614" level="10">
<if_group>syscheck</if_group>
<match>for:'/etc/foobar</match>
</rule>
So, this needs to be enclosed in a <group> tag? What is the
supposed value of the "name" attribute?
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/20200512125638.wk4kklcfzi3eunp2%40gmx.de.
