Yes I have, I've also tried to disable all the relevant changes I've made, restart, and still have the same issue.
On Wednesday, April 5, 2017 at 12:39:42 PM UTC-7, dan (ddpbsd) wrote: > > On Wed, Apr 5, 2017 at 3:26 PM, Rob Williams <tsinfo...@gmail.com > <javascript:>> wrote: > > Hi all, > > > > I'm running into an issue where rule 510 is triggering and I'm getting > > spammed with alerts but I can't seem to tune it correctly. What's weird > is > > that I am still getting alerted for rule 510 for this log, but I can't > > figure out how to get that to show in logtest. Basically, I am getting > > spammed with rule 510 and trying to filter it down more and here is what > > happens when I enter the log in logtest: .... any ideas on how to fix > > this? > > > > **Phase 1: Completed pre-decoding. > > > > full event: 'File '/filepath/' is owned by root and has written > > permissions to anyone.' > > > > hostname: 'hostname' > > > > program_name: '(null)' > > > > log: 'File '/filepath/' is owned by root and has written > permissions > > to anyone.' > > > > > > **Phase 2: Completed decoding. > > > > decoder: 'sample_decoder_setup' > > > > id: '/filepath/' > > > > Did you restart the OSSEC processes on the server after making your > modifications? > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.