Hi Tahir, I don't think OSSEC has a tool for do that, the option you have is remove previous/old alerts files, remove alerts.log file and restart OSSEC, another possibility is to create a intermediate script to search for all the occurrences of the alerts and remove them from every past alerts file.
If you need to test the rules you created, you can do that using */var/ossec/bin/ossec-logtest, *paste the event you want to test to inspect, you won't need to restart OSSEC because ossec-logtest loads the rules every time you run it, but once you check that the rule is working you will need to restart OSSEC to apply changes. On Thursday, June 2, 2016 at 12:48:14 PM UTC+2, Tahir Hafiz wrote: > > Dear All, > > If I make changes to my local_rules.xml and add some rules in there to > effectively whitelist some false postives which happen as an environment > starts building (i.e make them associate to level 0). > And then I want to test my new local_rules.xml without having to destroy > and start a new environment again - is there a way to wipe clean the alerts > file and get OSSEC to do it's precoding, decoding stuff from all the > received log entries from the OSSEC agents from fresh? > So effectively have a fresh alerts file which implements my new changes in > the local_rules.xml file. > > Cheers > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
