zvanderbilt
commented
5 years ago OSSEC doesnt order rules by alert level but by category then rule id. IE is it a windows event? yes? go check all the windows rules. You can test your event/log line with ossec-logtest -v and that will display the order of rules attempted for a match.
They go a little more in depth here: https://groups.google.com/forum/#!topic/ossec-list/yi3Ts5MaqH4
I am confused about the order in which ossec matches different rules.According to my understanding,it matches rules with level 0 first and then in decreasing order from highest to lowest alert level.Then what is the order between rules having same alert level.
Can anyone please clarify????
Thanks in advance