2012/9/24 dan (ddp) <ddp...@gmail.com> > On Mon, Sep 24, 2012 at 2:41 AM, Michiel van Es <vanesmich...@gmail.com> > wrote: > > Hello, > > > > We are using OSSEC for a PoC and we want to show only some alerts > initially > > and expand the alert list. > > We are using OSSEC 2.6 mixed Windows and Linux agents. > > 1 Manager and several agents and Splunk on the manager server to show the > > alerts. > > > > For now we want to achieve to show only failed and successful logins and > > file integrity alerts. > > How can we achieve this? => manually going through all rules/xml files > and > > set accordingly all xml entries to 0 or anything else? (0 meaning > disabled > > and dont show) or is there an easier way of achieving this? > > > > Kind regards, > > > > Michiel > > >>You can remove entire rules files if you don't want to use them. Just > >>test your changes (/var/ossec/bin/ossec-logtest -t) after you do this > >>to make sure you didn't get rid of something necessary. >
Would you suggest creating specific rules in xml files with the correct alerts and move/disable all others and start from there? This has to be done on the manager /var/ossec/rules and use these rules in /var/ossec/etc/ossec-server.conf , correct? After that a restart of ossec-hids ? Thanks for the help Michiel