3 layers:
- default
- there are no include rules
- exclude rules are in one of
ignore.d.workstation
,ignore.d.server
, orignore.d.paranoid
- exclude rule directory is based on "report level" in
logcheck.conf
- exclude rule directory is based on "report level" in
- subject line option in
logcheck.conf
isEVENTSUBJECT
- security/violations
- include rules are in
violations.d
- include rules are in
- exclude rules are in
violations.ignore.d