Thanks Dan! The issue was solved by using the suggestion you provided in the following post: http://groups.google.com/group/ossec-list/browse_thread/thread/e75570d157b9e817
Endy On 3月29日, 上午3时09分, "dan (ddp)" <[email protected]> wrote: > The local_rules.xml file is not cached anywhere. If you change the one > in /var/ossec/rules, and restart the ossec processes you've done all > you should need to do. > > Try fully stopping the ossec processes on the server > (/var/ossec/bin/ossec-control stop) for a few seconds. Make sure all > processes are stopped, then start them again. > > What OS are you using on the manager? > > > > On Sun, Mar 27, 2011 at 10:11 PM, Endy <[email protected]> wrote: > > Hi, > > > Can someone help me on an issue? Recently, I modified the > > local_rules.xml file and removed some rules we created before. Then I > > restarted the OSSEC service. I checked the ossec.log file, it seems > > that the rule file local_rules.xml was loaded. But I just found that > > the old rules we removed are still in effect. Is it possible that > > OSSEC cached the local_rules.xml somewhere and use it even if I update > > the version under /var/ossec/rules? If so, how can I clear the cached > > file and make OSSEC to use the updated version? Or, is there anything > > I can check to troubleshoot this issue. Thanks in advance. > > > Best regards, > > > Endy Tang
