On Fri, Oct 7, 2016 at 12:21 PM, Yousif Johny <[email protected]> wrote: > Okay, I'll re-enable it and try to write a rule but, > > For now I'd like to know why after commenting it out it's still looking at > this file. > > I made the change in ossec.conf under the local files portion to not look at > /var/log/messages. And did the restart (service ossec restart) a couple of > times. >
No idea, never seen that issue before. The only thing I can think of is that the processes didn't actually restart. You could try stopping them, make sure they're dead, and then start them up again. Also, verify that the alerts you're seeing actually come from the messages file, and not another file listed in the localfiles. > > > On Friday, October 7, 2016 at 5:01:44 PM UTC+1, Yousif Johny wrote: >> >> Hi, >> >> I notice in the Web Interface that a device monitored with an Agent will >> always report any addition to the /var/log/messages and it's a lot of >> messages that I would like to eliminate. >> >> What I did was going to the ossec.conf at the monitored device, and >> commented out the below, but it's still reporting the messages. any idea? >> >> <!-- >> <localfile> >> <log_format>syslog</log_format> >> <location>/var/log/messages</location> >> </localfile> >> --> >> >> >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
