Like Dan said, it won't rescan old logs. If you are looking a way to rescan every past event.. that will be difficult and even if you can do it, the alerts timestamp will be wrong.
I am sorry but I am not sure of understanding what you mean by "restart the predecoding, decoding of everything". Please don't hesitate to keep asking, I'll be happy to help. On Thu, Jun 2, 2016 at 3:59 PM, dan (ddp) <[email protected]> wrote: > On Thu, Jun 2, 2016 at 9:19 AM, Tahir Hafiz <[email protected]> wrote: > > Thanks Pedro, > > > > So if I "rm /var/ossec/logs/alerts/alerts.log" > > And then "service ossec restart", that should be enough to restart the > > predecoding, decoding of everything and test out my local_rules.xml to > see > > if certain alerts no longer appear in the alerts.log? > > > > I don't think it will rescan old logs. > > > I will have a play with ossec-logtest too. > > > > Cheers > > > > > > On Thursday, 2 June 2016 12:31:59 UTC+1, Pedro S wrote: > >> > >> Hi Tahir, > >> > >> I don't think OSSEC has a tool for do that, the option you have is > remove > >> previous/old alerts files, remove alerts.log file and restart OSSEC, > another > >> possibility is to create a intermediate script to search for all the > >> occurrences of the alerts and remove them from every past alerts file. > >> > >> If you need to test the rules you created, you can do that using > >> /var/ossec/bin/ossec-logtest, paste the event you want to test to > inspect, > >> you won't need to restart OSSEC because ossec-logtest loads the rules > every > >> time you run it, but once you check that the rule is working you will > need > >> to restart OSSEC to apply changes. > >> > >> > >> On Thursday, June 2, 2016 at 12:48:14 PM UTC+2, Tahir Hafiz wrote: > >>> > >>> Dear All, > >>> > >>> If I make changes to my local_rules.xml and add some rules in there to > >>> effectively whitelist some false postives which happen as an > environment > >>> starts building (i.e make them associate to level 0). > >>> And then I want to test my new local_rules.xml without having to > destroy > >>> and start a new environment again - is there a way to wipe clean the > alerts > >>> file and get OSSEC to do it's precoding, decoding stuff from all the > >>> received log entries from the OSSEC agents from fresh? > >>> So effectively have a fresh alerts file which implements my new changes > >>> in the local_rules.xml file. > >>> > >>> Cheers > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
