I think you've hit it Christopher. I hadn't been checking to see that the process tree had stopped. It appears that at one point in the past the tree failed to respond.
After waiting 10 minutes the tree was still active, I killed all ossec proceses and it now responds as I would expect to the stop command. I'm assuming that this will fix my alert issues, as the rules were likely never recycled. Thank you for the helpful reminder. Scott On Apr 20, 2012, at 8:05 AM, Christopher Moraes wrote: > Scott, > > Can you try this - > > 1. Shutdown ossec > 2. Wait for a minute > 3. Check that no ossec processes are running (ps -eaf | grep ossec) > 4. Start OSSEC and check if you are still getting the alerts > > > On Thu, Apr 19, 2012 at 11:19 AM, Scott Klauminzer <[email protected]> > wrote: > Yes, Only 1 entry is returned: > > grep "rule id=\"1002\"" /var/ossec/rules/*.xml > /var/ossec/rules/syslog_rules.xml: <rule id="1002" level="2"> > > Scott > > > > On Apr 18, 2012, at 1:08 PM, Christopher Moraes wrote: > >> Since you mentioned this - >> >> On Mon, Apr 16, 2012 at 11:59 AM, sklauminzer <[email protected]> wrote: >> This is happening with all syslog_rules.xml modifications, but >> msauth_rules.xml mods *are* working. >> >> >> Is it possible that there is a copy of your syslog-rules.xml file that is >> triggering the rule 1002? >> >> If you grep "rule id=\"1002\"" /var/ossec/rules/*.xml >> >> do you have only one entry, as below? >> syslog_rules.xml: <rule id="1002" level="2"> >> > >
