Scott, Can you try this -
1. Shutdown ossec 2. Wait for a minute 3. Check that no ossec processes are running (ps -eaf | grep ossec) 4. Start OSSEC and check if you are still getting the alerts On Thu, Apr 19, 2012 at 11:19 AM, Scott Klauminzer <[email protected]>wrote: > Yes, Only 1 entry is returned: > > grep "rule id=\"1002\"" /var/ossec/rules/*.xml > /var/ossec/rules/syslog_rules.xml: <rule id="1002" level="2"> > > Scott > > > > On Apr 18, 2012, at 1:08 PM, Christopher Moraes wrote: > > Since you mentioned this - > > On Mon, Apr 16, 2012 at 11:59 AM, sklauminzer <[email protected]>wrote: > >> This is happening with all syslog_rules.xml modifications, but >> msauth_rules.xml mods *are* working. >> >> > Is it possible that there is a copy of your syslog-rules.xml file that is > triggering the rule 1002? > > If you grep "rule id=\"1002\"" /var/ossec/rules/*.xml > > do you have only one entry, as below? > syslog_rules.xml: <rule id="1002" level="2"> > > > >
