OK, thanks. Maybe what I've seen is alerts which have been sent before my rule tweak but were stuck in a mailqueue and arrived after the tweak was live. -- ChrisP
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: 18 August 2011 15:31 To: [email protected] Subject: Re: [ossec-list] Local rule change on server takes ages to disseminate to agents Rules don't get pushed to the agents, they only exist on the manager. As soon as you restart the manager's ossec processes, the new rules should be working. On Thu, Aug 18, 2011 at 8:52 AM, Chris Phillips <[email protected]> wrote: > Hi All, > > When I see an alert which I do not want to be notified of (such as assorted > things triggering rule 1002), on the central "server" instance, I edit > /var/ossec/rules/local_rules.xml and add an anti-rule, specifying level="0" > for the particular pattern-match. I then restart with > /var/ossec/bin/ossec-control restart. > > It seems to take a very long time for that change to propagate & take effect > on the "agents". > > Do I need to do something to manually make the updates apply across the > board, or can I alter some setting to make the updates a bit more immediate? > > Cheers, > -- > Chris Phillips > > Scanned by MailDefender - managed email security from intY - www.maildefender.net Information in this electronic mail is confidential and may be legally privileged. It is intended solely for the addressee. Access to this mail by anyone else is unauthorised. If you are not the intended recipient any use, disclosure, copying or distribution of this message is prohibited and may be unlawful. When addressed to our customers, any information contained in this message is subject to intY's Terms & Conditions. Please rely on your own virus scanning and procedures with regard to any attachments to this message. Scanned by MailDefender - managed email security from intY - www.maildefender.net
