2012/9/24 dan (ddp) <[email protected]> > On Mon, Sep 24, 2012 at 9:21 AM, Michiel van Es <[email protected]> > wrote: > > > > > > 2012/9/24 dan (ddp) <[email protected]> > > > >> On Mon, Sep 24, 2012 at 2:41 AM, Michiel van Es <[email protected] > > > >> wrote: > >> > Hello, > >> > > >> > We are using OSSEC for a PoC and we want to show only some alerts > >> > initially > >> > and expand the alert list. > >> > We are using OSSEC 2.6 mixed Windows and Linux agents. > >> > 1 Manager and several agents and Splunk on the manager server to show > >> > the > >> > alerts. > >> > > >> > For now we want to achieve to show only failed and successful logins > and > >> > file integrity alerts. > >> > How can we achieve this? => manually going through all rules/xml files > >> > and > >> > set accordingly all xml entries to 0 or anything else? (0 meaning > >> > disabled > >> > and dont show) or is there an easier way of achieving this? > >> > > >> > Kind regards, > >> > > >> > Michiel > >> > >> >>You can remove entire rules files if you don't want to use them. Just > >> >>test your changes (/var/ossec/bin/ossec-logtest -t) after you do this > >> >>to make sure you didn't get rid of something necessary. > > > > > > Would you suggest creating specific rules in xml files with the correct > > alerts and move/disable all others and start from there? > > >>You should do it however you think is best. I don't like this approach > >>and don't have an opinion on it. > > What would you suggest?
> > This has to be done on the manager /var/ossec/rules and use these rules > in > > /var/ossec/etc/ossec-server.conf , correct? > > >>I don't know what ossec-server.conf is. It doesn't exist on any of my > systems. > Its the server.conf made by the Atomic RPM. > > > After that a restart of ossec-hids ? > > > > Thanks for the help > > > > Michiel >
