On Thu, Feb 2, 2012 at 9:42 AM, Kat <uncommon...@gmail.com> wrote: > I always wondered about that - shouldn't anything in "Local..." get > processed before the built-in? > I did have a feeling it was order dependent, and I took the route of > making the rules "decoded_as - windows_date_format" and everything > works, and this now confirms my thoughts that local did NOT get > processed first, but maybe this could be something for the future - a > switch for processing local BEFORE or AFTER builtin? Let the > organization decided on an install basis? I could see this fixing a > lot of ambiguity. > > thanks for the clarification.. >
I have a bunch of decoders in local_decoders that rely on decoders in the default file. Your change breaks that. ;) You could easily add another decoder list that gets processed before decoders.xml does. Use the decoder or decoder_dir options (http://www.ossec.net/doc/syntax/head_ossec_config.rules.html).
