I try to disable the email notifications for the OSSEC rule 5758.
<rule id="5758" level="8">
<decoded_as>sshd</decoded_as>
<match>^error: maximum authentication attempts exceeded </match>
<description>Maximum authentication attempts exceeded.</description>
<group>authentication_failed,</group>
</rule>
In /var/ossec/rules/local_rules.xml I added this custom rule:
<rule id="100002" level="8">
<if_sid>5758</if_sid>
<description>No mail for max auth SSH</description>
<options>no_email_alert</options>
</rule>
But this rule has no effect.