i'll try that. Thanks for the advice. On Wed, Aug 31, 2016 at 9:37 AM, dan (ddp) <[email protected]> wrote:
> On Wed, Aug 31, 2016 at 10:36 AM, Derek Day <[email protected]> wrote: > > I'm running this on a security onion setup with a master and sensor > servers. > > I am modifying the local_rules file on each sensor server so maybe this > is > > why it's not acting right? > > > > I believe you should modify it on the master, and it should be > automatically propagated to the sensors. > > > On Wed, Aug 31, 2016 at 9:33 AM, dan (ddp) <[email protected]> wrote: > >> > >> On Wed, Aug 31, 2016 at 10:26 AM, Derek Day <[email protected]> wrote: > >> > I am trying to add some rules to my local_rules.xml file, and I've > >> > noticed > >> > that after I add the rules, restart the ossec service, after a while > >> > maybe > >> > 10-30 minutes or so (I didn't time it) the rule is gone from the > >> > local_rules.xml file. Is this normal behavior? where did my rules go? > >> > > >> > Thanks for any clarification! > >> > > >> > >> No, this is not normal. Does local_rules.xml revert to the default > state? > >> Do you have a configuration management system that could be interfering? > >> > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to a topic in the > >> Google Groups "ossec-list" group. > >> To unsubscribe from this topic, visit > >> https://groups.google.com/d/topic/ossec-list/ryOwPYjp2PI/unsubscribe. > >> To unsubscribe from this group and all its topics, send an email to > >> [email protected]. > >> For more options, visit https://groups.google.com/d/optout. > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit https://groups.google.com/d/ > topic/ossec-list/ryOwPYjp2PI/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
