Thanks Pedro, So if I "rm /var/ossec/logs/alerts/alerts.log" And then "service ossec restart", that should be enough to restart the predecoding, decoding of everything and test out my local_rules.xml to see if certain alerts no longer appear in the alerts.log?
I will have a play with ossec-logtest too. Cheers On Thursday, 2 June 2016 12:31:59 UTC+1, Pedro S wrote: > > Hi Tahir, > > I don't think OSSEC has a tool for do that, the option you have is remove > previous/old alerts files, remove alerts.log file and restart OSSEC, > another possibility is to create a intermediate script to search for all > the occurrences of the alerts and remove them from every past alerts file. > > If you need to test the rules you created, you can do that using > */var/ossec/bin/ossec-logtest, > *paste the event you want to test to inspect, you won't need to restart > OSSEC because ossec-logtest loads the rules every time you run it, but once > you check that the rule is working you will need to restart OSSEC to apply > changes. > > > On Thursday, June 2, 2016 at 12:48:14 PM UTC+2, Tahir Hafiz wrote: >> >> Dear All, >> >> If I make changes to my local_rules.xml and add some rules in there to >> effectively whitelist some false postives which happen as an environment >> starts building (i.e make them associate to level 0). >> And then I want to test my new local_rules.xml without having to destroy >> and start a new environment again - is there a way to wipe clean the alerts >> file and get OSSEC to do it's precoding, decoding stuff from all the >> received log entries from the OSSEC agents from fresh? >> So effectively have a fresh alerts file which implements my new changes >> in the local_rules.xml file. >> >> Cheers >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
