On Thu, Jun 2, 2016 at 9:19 AM, Tahir Hafiz <[email protected]> wrote: > Thanks Pedro, > > So if I "rm /var/ossec/logs/alerts/alerts.log" > And then "service ossec restart", that should be enough to restart the > predecoding, decoding of everything and test out my local_rules.xml to see > if certain alerts no longer appear in the alerts.log? >
I don't think it will rescan old logs. > I will have a play with ossec-logtest too. > > Cheers > > > On Thursday, 2 June 2016 12:31:59 UTC+1, Pedro S wrote: >> >> Hi Tahir, >> >> I don't think OSSEC has a tool for do that, the option you have is remove >> previous/old alerts files, remove alerts.log file and restart OSSEC, another >> possibility is to create a intermediate script to search for all the >> occurrences of the alerts and remove them from every past alerts file. >> >> If you need to test the rules you created, you can do that using >> /var/ossec/bin/ossec-logtest, paste the event you want to test to inspect, >> you won't need to restart OSSEC because ossec-logtest loads the rules every >> time you run it, but once you check that the rule is working you will need >> to restart OSSEC to apply changes. >> >> >> On Thursday, June 2, 2016 at 12:48:14 PM UTC+2, Tahir Hafiz wrote: >>> >>> Dear All, >>> >>> If I make changes to my local_rules.xml and add some rules in there to >>> effectively whitelist some false postives which happen as an environment >>> starts building (i.e make them associate to level 0). >>> And then I want to test my new local_rules.xml without having to destroy >>> and start a new environment again - is there a way to wipe clean the alerts >>> file and get OSSEC to do it's precoding, decoding stuff from all the >>> received log entries from the OSSEC agents from fresh? >>> So effectively have a fresh alerts file which implements my new changes >>> in the local_rules.xml file. >>> >>> Cheers > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
