2012/9/24 Michiel van Es <[email protected]> > > > 2012/9/24 dan (ddp) <[email protected]> > >> On Mon, Sep 24, 2012 at 9:21 AM, Michiel van Es <[email protected]> >> wrote: >> > >> > >> > 2012/9/24 dan (ddp) <[email protected]> >> > >> >> On Mon, Sep 24, 2012 at 2:41 AM, Michiel van Es < >> [email protected]> >> >> wrote: >> >> > Hello, >> >> > >> >> > We are using OSSEC for a PoC and we want to show only some alerts >> >> > initially >> >> > and expand the alert list. >> >> > We are using OSSEC 2.6 mixed Windows and Linux agents. >> >> > 1 Manager and several agents and Splunk on the manager server to show >> >> > the >> >> > alerts. >> >> > >> >> > For now we want to achieve to show only failed and successful logins >> and >> >> > file integrity alerts. >> >> > How can we achieve this? => manually going through all rules/xml >> files >> >> > and >> >> > set accordingly all xml entries to 0 or anything else? (0 meaning >> >> > disabled >> >> > and dont show) or is there an easier way of achieving this? >> >> > >> >> > Kind regards, >> >> > >> >> > Michiel >> >> >> >> >>You can remove entire rules files if you don't want to use them. Just >> >> >>test your changes (/var/ossec/bin/ossec-logtest -t) after you do this >> >> >>to make sure you didn't get rid of something necessary. >> > >> > >> > Would you suggest creating specific rules in xml files with the correct >> > alerts and move/disable all others and start from there? >> >> >>You should do it however you think is best. I don't like this approach >> >>and don't have an opinion on it. >> >> What would you suggest? > > >> > This has to be done on the manager /var/ossec/rules and use these rules >> in >> > /var/ossec/etc/ossec-server.conf , correct? >> >> >>I don't know what ossec-server.conf is. It doesn't exist on any of my >> systems. >> > >>>Its the server.conf made by the Atomic RPM. > Sorry I mean ossec.conf symlinked to ossec-server.conf made by the Atomic RPM .
> >> > After that a restart of ossec-hids ? >> > >> > Thanks for the help >> > >> > Michiel >> > >
