Hi John, Rick explained it well, just edit your rules at local_rules.xml and restart the server when done. Nothing needs to be restarted at the agent side. As for writing your own rules, the following document can be very helpful:
http://www.ossec.net/ossec-docs/auscert-2007-dcid.pdf Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 10/12/07, John Hinton <[EMAIL PROTECTED]> wrote: > > I have set up a server/agents system. These are on CentOS systems so it > would be equivalent to RedHat EL servers. > > I'm wondering what needs to be done upon the edit of a rule. > > Does the server need to be restarted? Do each of the agents need to be > restarted? Does the server and all of the agents need to be restarted? > Or, does the rule go into effect at the time of the edit or maybe > something is set to reread the rules at some time afterwards? > > Yes, I'm experimenting with rules and am trying to figure out if I have > an 'order' situation, where one rule steps in before my new rule is > enacted.... which will likely be the topic of my next post after knowing > the answer to this. > > Thanks for a great program! > > Best, > John Hinton >