On Wed, Apr 5, 2017 at 3:44 PM, Rob Williams <tsinfosect...@gmail.com> wrote: > Yes I have, I've also tried to disable all the relevant changes I've made, > restart, and still have the same issue. >
Try stopping the ossec processes, verify that ossec-analysisd has stopped (sometimes it doesn't and causes issues), and start it back up. Can you also post the changes you made? > On Wednesday, April 5, 2017 at 12:39:42 PM UTC-7, dan (ddpbsd) wrote: >> >> On Wed, Apr 5, 2017 at 3:26 PM, Rob Williams <tsinfo...@gmail.com> wrote: >> > Hi all, >> > >> > I'm running into an issue where rule 510 is triggering and I'm getting >> > spammed with alerts but I can't seem to tune it correctly. What's weird >> > is >> > that I am still getting alerted for rule 510 for this log, but I can't >> > figure out how to get that to show in logtest. Basically, I am getting >> > spammed with rule 510 and trying to filter it down more and here is what >> > happens when I enter the log in logtest: .... any ideas on how to fix >> > this? >> > >> > **Phase 1: Completed pre-decoding. >> > >> > full event: 'File '/filepath/' is owned by root and has written >> > permissions to anyone.' >> > >> > hostname: 'hostname' >> > >> > program_name: '(null)' >> > >> > log: 'File '/filepath/' is owned by root and has written >> > permissions >> > to anyone.' >> > >> > >> > **Phase 2: Completed decoding. >> > >> > decoder: 'sample_decoder_setup' >> > >> > id: '/filepath/' >> > >> >> Did you restart the OSSEC processes on the server after making your >> modifications? >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
