On Tue, May 12, 2020 at 8:57 AM Dominik Vogt <dominik.v...@gmx.de> wrote: > > I'm struggling to understand how to write custom rules. > Unfortunately the "<group>" tag seems to be completely > undocumented, and the book doesn't explain it either: > > Each rule, or grouping of rules, must be defined within a > <group></group> element. Your attribute name must contain the > rules you want to be part of this group. > > ... > > <group name="syslog,sshd,"> > <rule id="100120" level ="5"> ... </rule> > ... > </group> > > The "name" of the group is a comma separated list of rules that > are "part of the group"? What does that mean? >
They're kind of like tags that help label the rules. > -- > > Specifically, I want to try out the example from the chapter > "Increasing the Alert Severity for Important Files": > > <rule id="100614" level="10"> > <if_group>syscheck</if_group> > <match>for:'/etc/foobar</match> > </rule> > > So, this needs to be enclosed in a <group> tag? What is the > supposed value of the "name" attribute? > Whatever you want. I'd start with local, and maybe add other things if I want to be able to use them later. > Ciao > > Dominik ^_^ ^_^ > > -- > > Dominik Vogt > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/20200512125638.wk4kklcfzi3eunp2%40gmx.de. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMoYWAhHBD_u0cF2NJH6FoHk6sCkhsUjooYLoQTXMh5Rxg%40mail.gmail.com.
