Rules don't get pushed to the agents, they only exist on the manager. As soon as you restart the manager's ossec processes, the new rules should be working.
On Thu, Aug 18, 2011 at 8:52 AM, Chris Phillips <[email protected]> wrote: > Hi All, > > When I see an alert which I do not want to be notified of (such as assorted > things triggering rule 1002), on the central "server" instance, I edit > /var/ossec/rules/local_rules.xml and add an anti-rule, specifying level="0" > for the particular pattern-match. I then restart with > /var/ossec/bin/ossec-control restart. > > It seems to take a very long time for that change to propagate & take effect > on the "agents". > > Do I need to do something to manually make the updates apply across the > board, or can I alter some setting to make the updates a bit more immediate? > > Cheers, > -- > Chris Phillips > >
