On Thu, Dec 2, 2010 at 8:20 AM, Simon Slaytor <[email protected]> wrote: > Hi Folks, > > > > First message to the list, apologies if this has been covered before but my > Google fu is obviously weak as I cannot find the answer. > > > > I have a central OSSEC server currently v2.4.1 on Ubuntu and a number of > remote agents, all 2.4.1 and everything is working well. > > > > I now want to suppress some rogue alerts generated by a couple of ‘Windows > 2003 Servers/Agents’. > > > > After Googling I understand that I need to: > > > > Modify the ‘local agent’ copy of the local_rules.xml file adding a new > customer rule as follows: > > > > <group name="local"> > > > > <rule id="100101" level="0"> > > <if_sid>18153</if_sid> > > <match>wmiprvse.exe</match> > > <description>Events ignored</description> > > </rule> > > > > </group> > > > > Ok so my first problem, there is no ‘Local_rules.xml’ file on the Windows > agent, undeterred I have created one and placed in the root of the > ossec-agent folder, is this the correct thing to do? > > > > I have then added the following to the ossec.conf configuration file on the > agent, just before, i.e. within the ‘default’ </ossec_config> and restarted > the agent. > > > > <rules> > > <include>local_rules.xml</include> > > </rules> > > > > The agent runs ok, but I see no entry relating to local_rules.xml in the log > file and the alerts are still being generated. > > > > Any pointers as to what I’m doing wrong would be greatly appreciated. > > > > Simon > > > >
The agents do not have copies of the rules. The local_rules.xml you need to populate is on the manager. The log messages from the agents are sent to the manager, the manager analyzes the log message.
