I don't have the Wazuh OSSEC fork installed, but I pull out individual rules such the USB rule and put in my local_rules.xlm?
<group name="usb,"> <rule id="81100" level="0"> <decoded_as>kernel</decoded_as> <id>usb</id> <description>USB messages grouped.</description> </rule> <!-- USB Connected Feb 3 10:23:08 testsys kernel: usb 1-1.2: New USB device found, idVendor=0781, idProduct=5575 --> <rule id="81101" level="3"> <if_sid>81100</if_sid> <match>New USB device found</match> <description>Attached USB Storage</description> </rule> </group> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.