Answer the question
In order to leave comments, you need to log in
Why can't overwrite the ossec rule?
Situation: I'm trying to overwrite the ossec rule (add it to the exceptions).
I write in local_rules.xml:
<rule id="5301" level="0" overwrite="yes">
<if_sid>5300</if_sid>
<match>authentication failure; |failed|BAD su|^-</match>
<description>User missed the password to change UID (user id).</description>
<group>authentication_failed,</group>
</rule>
<rule id="100008" level="0">
<if_sid>5301</if_sid>
</rule>
Answer the question
In order to leave comments, you need to log in
Already found the answer (Long searched, maybe it will help someone):
You need to change the include sequence in the ossec.conf file:
To:
<rules>
<include>local_rules.xml</include>
...
<include>syslog_rules.xml</include>
</rules>
<rules>
<include>syslog_rules.xml</include>
...
<include>local_rules.xml</include>
</rules>
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question