Additional information. It seems that the ossec-logtest tool can
decode the event to the correct rule. But in the alerts log, the event
still translated to the removed rule:
Message returned by ossec-logtest:
==================================
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_FAILURE'
id: '539'
extra_data: 'Security'
dstuser: 'SYSTEM'
system_name: 'SLV10001'
**Phase 3: Completed filtering (rules).
Rule id: '18138'
Level: '7'
Description: 'Logon Failure - Account locked out.'
**Alert to be generated.
Message in the alerts log:
==================================
** Alert 1301295387.31479813: - local,syslog,
2011 Mar 28 02:56:27 (SLV10001.vistcorp.ad.visteon.com) 136.17.100.154-
>WinEvtLog
Rule: 100004 (level 1) -> 'Stop email alerting for basic windows
alerts'
Src IP: (none)
User: SYSTEM
WinEvtLog: Security: AUDIT_FAILURE(539): Security: SYSTEM: NT
AUTHORITY: SLV10001: Logon Failure: Reason: Account locked out
User Name: bli7 Domain: VISTEON Logon Type: 3
Logon
Process: Advapi Authentication Package: Negotiate
Workstation Name: SLV10001 Caller User Name: SLV10001$ Caller
Domain: VISTEON Caller Logon ID: (0x0,0x3E7) Caller Process
ID: 420 Transited Services: - Source Network Address:
136.18.0.61 Source Port: 9580
On 3月28日, 上午10时11分, Endy <[email protected]> wrote:
> Hi,
>
> Can someone help me on an issue? Recently, I modified the
> local_rules.xml file and removed some rules we created before. Then I
> restarted the OSSEC service. I checked the ossec.log file, it seems
> that the rule file local_rules.xml was loaded. But I just found that
> the old rules we removed are still in effect. Is it possible that
> OSSEC cached the local_rules.xml somewhere and use it even if I update
> the version under /var/ossec/rules? If so, how can I clear the cached
> file and make OSSEC to use the updated version? Or, is there anything
> I can check to troubleshoot this issue. Thanks in advance.
>
> Best regards,
>
> Endy Tang
