Hi Folks,
First message to the list, apologies if this has been covered before but my
Google fu is obviously weak as I cannot find the answer.
I have a central OSSEC server currently v2.4.1 on Ubuntu and a number of remote
agents, all 2.4.1 and everything is working well.
I now want to suppress some rogue alerts generated by a couple of 'Windows 2003
Servers/Agents'.
After Googling I understand that I need to:
Modify the 'local agent' copy of the local_rules.xml file adding a new customer
rule as follows:
<group name="local">
<rule id="100101" level="0">
<if_sid>18153</if_sid>
<match>wmiprvse.exe</match>
<description>Events ignored</description>
</rule>
</group>
Ok so my first problem, there is no 'Local_rules.xml' file on the Windows
agent, undeterred I have created one and placed in the root of the ossec-agent
folder, is this the correct thing to do?
I have then added the following to the ossec.conf configuration file on the
agent, just before, i.e. within the 'default' </ossec_config> and restarted the
agent.
<rules>
<include>local_rules.xml</include>
</rules>
The agent runs ok, but I see no entry relating to local_rules.xml in the log
file and the alerts are still being generated.
Any pointers as to what I'm doing wrong would be greatly appreciated.
Simon
