2012/9/24 dan (ddp) <[email protected]> > On Mon, Sep 24, 2012 at 9:27 AM, Michiel van Es <[email protected]> > wrote: > > > > > > 2012/9/24 dan (ddp) <[email protected]> > >> > >> On Mon, Sep 24, 2012 at 9:21 AM, Michiel van Es <[email protected] > > > >> wrote: > >> > > >> > > >> > 2012/9/24 dan (ddp) <[email protected]> > >> > > >> >> On Mon, Sep 24, 2012 at 2:41 AM, Michiel van Es > >> >> <[email protected]> > >> >> wrote: > >> >> > Hello, > >> >> > > >> >> > We are using OSSEC for a PoC and we want to show only some alerts > >> >> > initially > >> >> > and expand the alert list. > >> >> > We are using OSSEC 2.6 mixed Windows and Linux agents. > >> >> > 1 Manager and several agents and Splunk on the manager server to > show > >> >> > the > >> >> > alerts. > >> >> > > >> >> > For now we want to achieve to show only failed and successful > logins > >> >> > and > >> >> > file integrity alerts. > >> >> > How can we achieve this? => manually going through all rules/xml > >> >> > files > >> >> > and > >> >> > set accordingly all xml entries to 0 or anything else? (0 meaning > >> >> > disabled > >> >> > and dont show) or is there an easier way of achieving this? > >> >> > > >> >> > Kind regards, > >> >> > > >> >> > Michiel > >> >> > >> >> >>You can remove entire rules files if you don't want to use them. > Just > >> >> >>test your changes (/var/ossec/bin/ossec-logtest -t) after you do > this > >> >> >>to make sure you didn't get rid of something necessary. > >> > > >> > > >> > Would you suggest creating specific rules in xml files with the > correct > >> > alerts and move/disable all others and start from there? > >> > >> >>You should do it however you think is best. I don't like this approach > >> >>and don't have an opinion on it. > >> > > What would you suggest? > > > > >>I think you should do what works for you. If starting small and adding > >>more later is better for your organization, do it. If I was going to > >>do it that way I'd probably remove the entries for the rule files in > >>/var/ossec/etc/ossec.conf. >
Clear. Thx will work something out! Michiel
