On Wed, Aug 31, 2016 at 10:36 AM, Derek Day <[email protected]> wrote: > I'm running this on a security onion setup with a master and sensor servers. > I am modifying the local_rules file on each sensor server so maybe this is > why it's not acting right? >
I believe you should modify it on the master, and it should be automatically propagated to the sensors. > On Wed, Aug 31, 2016 at 9:33 AM, dan (ddp) <[email protected]> wrote: >> >> On Wed, Aug 31, 2016 at 10:26 AM, Derek Day <[email protected]> wrote: >> > I am trying to add some rules to my local_rules.xml file, and I've >> > noticed >> > that after I add the rules, restart the ossec service, after a while >> > maybe >> > 10-30 minutes or so (I didn't time it) the rule is gone from the >> > local_rules.xml file. Is this normal behavior? where did my rules go? >> > >> > Thanks for any clarification! >> > >> >> No, this is not normal. Does local_rules.xml revert to the default state? >> Do you have a configuration management system that could be interfering? >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/ryOwPYjp2PI/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
