On Thu, Feb 6, 2014 at 11:31 AM, Janelle <[email protected]> wrote: > The only problem with that is creating hundreds of new rules. Also, I had > posted about this a month or two ago - the child rules fire with > ossec-logtest, but restarting the server v- they don't fire under the actual > manager - only under log test - which of course makes no sense at all. Still > trying to troubleshoot how something can work with log test and NOT with the > manager - even on the same system. >
I didn't say it was a good idea. I must have missed that thread. There's generally not much difference between what will fire with ossec-logtest and ossec-analysisd. Usually the solution involves restarting ossec-analysisd (which may have not restarted previously for some unknown reason). > ~J > > On Thursday, February 6, 2014 5:07:35 AM UTC-8, dan (ddpbsd) wrote: >> >> On Tue, Feb 4, 2014 at 4:40 PM, Janelle <[email protected]> wrote: >> > Here is an interesting situation -- >> > >> > One OSSEC Manager with say 1000 agents. >> > >> > 200 of those agents are located in a private DMZ, the remaining 800 >> > behind >> > that zone. I created a CDB of the 200 hosts, and was wondering, could >> > there >> > be a way to apply some txt to a group of rules -- for example >> > <group>access_denied,</group> - so that anything from that particular >> > group >> > - IF it also showed up in the CDB could add something like (Rule >> > triggered >> > in DMZ) or something like that? >> > >> > Any ideas?? >> > >> >> Create child rules containing the group you want. >> >> > ~J >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
