You just did. I didn't think to check the processes. I had one set that was being controlled by ossec-control, starting and stopping as they should, but a second set that the command was not affecting. I've asked the SA to kill the extra processes and then should be able to restart "for real". Thanks for the response. Randy
>>> "dan (ddp)" <ddp...@gmail.com> 3/28/2011 2:04 PM >>> There is nothing that caches this information. If you change the file and successfully restart the ossec processes on the manager, there is no reason the old behavior should continue. Without more information I don't think I can help much more. On Thu, Mar 24, 2011 at 1:26 PM, Randy <randy.h.sm...@tn.gov> wrote: > I am new to OSSEC. I made changes to local_rules.xml, which seemed to > work. When I when back and made other changes that should have negated > some of the original ones, they never seemed to take effect. I have a > rule that is showing up in alert.log that was in the original changed > local_rules file, that does not now exist anywhere in it. The original > changes were made over a week ago and the second round the next day. I > have restarted OSSEC on the "main" server several times. > > What am I missing that will allow the rule changes to take effect? > > Thanks in advance. > > Randy
