On Friday, November 13, 2015 at 8:51:45 AM UTC-5, dan (ddpbsd) wrote: > > Or are you sure the manager restarted? Most of the time when I've seen > this behavior on the list analysisd did not actually stop, so it > didn't pickup the new rules. Running `/var/ossec/bin/ossec-control > stop`, then verifying all of the processes are stopped is a prudent > course of action. >
Hmmm, not sure this would cause it, but this is what I saw: sudo /var/ossec/bin/ossec-control stop Killing ossec-monitord .. Killing ossec-logcollector .. Killing ossec-remoted .. Killing ossec-syscheckd .. Killing ossec-analysisd .. Killing ossec-maild .. ossec-execd not running .. OSSEC HIDS v2.8 Stopped sudo ps aux| grep ossec ossecm 4828 0.0 0.0 10508 260 ? S Nov10 0:00 /var/ossec/bin/ossec-maild So, it stopped everything, except ossec-maild. I missed this the first time, because I specifically checked for analysisd instead of just "ossec". So, I manually killed the ossec-maild process and started everything back. I'm waiting to see if it generates an alert. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.