Hi John, my procedure is to edit local_rules.xml and then cd ../bin; ./ossec-control restart. The client forwards events to the server; the server processes the rules for alerting and action. If you install the ossec-wui you can look at all the alerts and see how many more events are processed beneath your alert threshold. Rick McClinton
________________________________ From: [email protected] on behalf of John Hinton Sent: Fri 10/12/2007 2:01 PM To: [email protected] Subject: [ossec-list] How are rules enacted? I have set up a server/agents system. These are on CentOS systems so it would be equivalent to RedHat EL servers. I'm wondering what needs to be done upon the edit of a rule. Does the server need to be restarted? Do each of the agents need to be restarted? Does the server and all of the agents need to be restarted? Or, does the rule go into effect at the time of the edit or maybe something is set to reread the rules at some time afterwards? Yes, I'm experimenting with rules and am trying to figure out if I have an 'order' situation, where one rule steps in before my new rule is enacted.... which will likely be the topic of my next post after knowing the answer to this. Thanks for a great program! Best, John Hinton
<<inline: winmail.dat>>
