Just an update in case anyone else does the same thing. Dan's advice was correct. Add the rule you wish to add to the master server and not directly to the sensor and it will propagate out. Not sure why I didn't think of that to begin with.
Thank you Dan On Wed, Aug 31, 2016 at 9:38 AM, Derek Day <[email protected]> wrote: > i'll try that. Thanks for the advice. > > On Wed, Aug 31, 2016 at 9:37 AM, dan (ddp) <[email protected]> wrote: > >> On Wed, Aug 31, 2016 at 10:36 AM, Derek Day <[email protected]> wrote: >> > I'm running this on a security onion setup with a master and sensor >> servers. >> > I am modifying the local_rules file on each sensor server so maybe this >> is >> > why it's not acting right? >> > >> >> I believe you should modify it on the master, and it should be >> automatically propagated to the sensors. >> >> > On Wed, Aug 31, 2016 at 9:33 AM, dan (ddp) <[email protected]> wrote: >> >> >> >> On Wed, Aug 31, 2016 at 10:26 AM, Derek Day <[email protected]> >> wrote: >> >> > I am trying to add some rules to my local_rules.xml file, and I've >> >> > noticed >> >> > that after I add the rules, restart the ossec service, after a while >> >> > maybe >> >> > 10-30 minutes or so (I didn't time it) the rule is gone from the >> >> > local_rules.xml file. Is this normal behavior? where did my rules go? >> >> > >> >> > Thanks for any clarification! >> >> > >> >> >> >> No, this is not normal. Does local_rules.xml revert to the default >> state? >> >> Do you have a configuration management system that could be >> interfering? >> >> >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/d/optout. >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to a topic in the >> >> Google Groups "ossec-list" group. >> >> To unsubscribe from this topic, visit >> >> https://groups.google.com/d/topic/ossec-list/ryOwPYjp2PI/unsubscribe. >> >> To unsubscribe from this group and all its topics, send an email to >> >> [email protected]. >> >> For more options, visit https://groups.google.com/d/optout. >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit https://groups.google.com/d/to >> pic/ossec-list/ryOwPYjp2PI/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
