Hi Clayton, Within the ossec model, the agents have no information about rules whatsoever. So, if you need to modify a rule, you need to do it on the server side.
How do you do it? If you have a rule like that (from our FAQ): <group name="local"> <rule id="100101" level="0"> <if_sid>123, 456</if_sid> <match>xyz</match> <description>Events ignored</description> </rule> </group> But you only want it to apply to one agent, you need to use the "hostname" tag to limit it to the agents you want: <group name="local"> <rule id="100101" level="0"> <if_sid>123, 456</if_sid> <match>xyz</match> <hostname>agent1|agent2</hostname> <description>Events ignored</description> </rule> </group> Hope it helps. *http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules -- Daniel B. Cid dcid ( at ) ossec.net On 7/24/07, Clayton Dillard <[EMAIL PROTECTED]> wrote: > > I'm a bit fuzzed on the relationship between the server and agents with > respect to rule processing. I have an OSSEC server with several agents > connected. If I want to make a change to a rule that affects a given host, > do I make the change on the server or the host(s)? > > Thanks, > > -- > Clayton Dillard <[EMAIL PROTECTED]> > RPS Technology, LLC
