The local_rules.xml file is not cached anywhere. If you change the one in /var/ossec/rules, and restart the ossec processes you've done all you should need to do.
Try fully stopping the ossec processes on the server (/var/ossec/bin/ossec-control stop) for a few seconds. Make sure all processes are stopped, then start them again. What OS are you using on the manager? On Sun, Mar 27, 2011 at 10:11 PM, Endy <[email protected]> wrote: > Hi, > > Can someone help me on an issue? Recently, I modified the > local_rules.xml file and removed some rules we created before. Then I > restarted the OSSEC service. I checked the ossec.log file, it seems > that the rule file local_rules.xml was loaded. But I just found that > the old rules we removed are still in effect. Is it possible that > OSSEC cached the local_rules.xml somewhere and use it even if I update > the version under /var/ossec/rules? If so, how can I clear the cached > file and make OSSEC to use the updated version? Or, is there anything > I can check to troubleshoot this issue. Thanks in advance. > > Best regards, > > Endy Tang >
