The SA killed those extra processes and when I started OSSEC from scratch it
did update the rules. So all is now well.
Thanks again, dan.
Randy
>>> "dan (ddp)" 3/28/2011 2:04 PM >>>
There is nothing that caches this information. If you change the file
and successfully restart the ossec proc
You just did. I didn't think to check the processes. I had one set that was
being controlled by ossec-control, starting and stopping as they should, but a
second set that the command was not affecting. I've asked the SA to kill the
extra processes and then should be able to restart "for real".
There is nothing that caches this information. If you change the file
and successfully restart the ossec processes on the manager, there is
no reason the old behavior should continue.
Without more information I don't think I can help much more.
On Thu, Mar 24, 2011 at 1:26 PM, Randy wrote:
> I am
I am new to OSSEC. I made changes to local_rules.xml, which seemed to
work. When I when back and made other changes that should have negated
some of the original ones, they never seemed to take effect. I have a
rule that is showing up in alert.log that was in the original changed
local_rules file,
