On Mon, Sep 24, 2012 at 2:41 AM, Michiel van Es <[email protected]> wrote: > Hello, > > We are using OSSEC for a PoC and we want to show only some alerts initially > and expand the alert list. > We are using OSSEC 2.6 mixed Windows and Linux agents. > 1 Manager and several agents and Splunk on the manager server to show the > alerts. > > For now we want to achieve to show only failed and successful logins and > file integrity alerts. > How can we achieve this? => manually going through all rules/xml files and > set accordingly all xml entries to 0 or anything else? (0 meaning disabled > and dont show) or is there an easier way of achieving this? > > Kind regards, > > Michiel
You can remove entire rules files if you don't want to use them. Just test your changes (/var/ossec/bin/ossec-logtest -t) after you do this to make sure you didn't get rid of something necessary.
