thanks dan, you got me pointed in the right direction, there was some stuff above that rule in local_rules.xml that was precluding that rule from showing up. I'm good t go now.
On Apr 4, 10:53 am, "dan (ddp)" <[email protected]> wrote: > Oops, missed this reply. Ignore my other message. I'm guessing 100030 comes > after 100001 in the file. Make sure it's inside the group tag and isn't > commented out with <!-- and -->. > Other than that I'm not sire what else to check offhand. If you sanitized > local_rules.xml and sent it, maybe someone could find an error. > On Apr 4, 2012 11:47 AM, "nick talbot" <[email protected]> wrote: > > > > > > > > > ohh i see what you're saying, > > > 100030 does not show up, however 100001 does show up and it's defined > > in the same local_rules.xml file > > > On Apr 4, 9:11 am, "dan (ddp)" <[email protected]> wrote: > > > Run ossec-logtest with the debug flag and make sure this rule shows up. > > > On Apr 4, 2012 10:08 AM, "nick talbot" <[email protected]> wrote: > > > > > Yes > > > > > /var/ossec/bin/ossec-control restart > > > > > On Apr 4, 8:51 am, "dan (ddp)" <[email protected]> wrote: > > > > > Did you restart the ossec processes on the manager? > > > > > On Apr 4, 2012 9:48 AM, "nick talbot" <[email protected]> wrote: > > > > > > > I have the following entry in my local_rules.xml, however i am > > still > > > > > > receiving email alerts on this rule. Should I also set it to 0 in > > the > > > > > > msauth_rules.xml? > > > > > > > <rule id="100030" level="0"> > > > > > > <if_sid>18153</if_sid> > > > > > > <description>List of rules to be ignored.</description> > > > > > > </rule>
