Michael, Were you able to restart OSSEC after editing syslog_rules.xml? did it not fail throwing the below message: "OSSEC analysisd: Testing rules failed. Configuration error. Exiting."
- Saurabh On Monday, July 7, 2014 at 8:53:24 PM UTC+5:30, Michael Starks wrote: > > On 2014-07-07 10:07, Randy Dover wrote: > > How should I comment it out? > > I edited syslog_rules.xml (in > > The way I edited it was: > > # <rule id='1003'... > > # <description... > > # </rule> > > > > So, in essence, I just put a "#" in front of each of the lines. > > > > That didn't work. I'm still getting the emails. And getting a lot of > > them. > > XML comments are like this: <!-- stuff here -->. So, your rule should > look like this: > > <!-- rule id="1003" level="13" maxsize="304900"> > <description>Non standard syslog message (size too > large).</description> > </rule --> > > Keep in mind that this is an exceptional case. Normally, you wouldn't > want to modify rules in any place other than local_rules.xml, as they > will be overwritten on upgrades. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
