ossec local_rules.xml clarification

[Derek Day]

I am trying to add some rules to my local_rules.xml file, and I've noticed that after I add the rules, restart the ossec service, after a while maybe 10-30 minutes or so (I didn't time it) the rule is gone from the local_rules.xml file. Is this normal behavior? where did my rules go?

Thanks for any clarification!

[dan (ddp)]

No, this is not normal. Does local_rules.xml revert to the default state?
Do you have a configuration management system that could be interfering?

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Derek Day]

I'm running this on a security onion setup with a master and sensor servers. I am modifying the local_rules file on each sensor server so maybe this is why it's not acting right?

> email to ossec-list+unsubscribe@googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.

--

---
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/ryOwPYjp2PI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+unsubscribe@googlegroups.com.

[dan (ddp)]

On Wed, Aug 31, 2016 at 10:36 AM, Derek Day <dday...@gmail.com> wrote:
> I'm running this on a security onion setup with a master and sensor servers.
> I am modifying the local_rules file on each sensor server so maybe this is
> why it's not acting right?
>

I believe you should modify it on the master, and it should be
automatically propagated to the sensors.

> On Wed, Aug 31, 2016 at 9:33 AM, dan (ddp) <ddp...@gmail.com> wrote:
>>
>> On Wed, Aug 31, 2016 at 10:26 AM, Derek Day <dday...@gmail.com> wrote:
>> > I am trying to add some rules to my local_rules.xml file, and I've
>> > noticed
>> > that after I add the rules, restart the ossec service, after a while
>> > maybe
>> > 10-30 minutes or so (I didn't time it) the rule is gone from the
>> > local_rules.xml file. Is this normal behavior? where did my rules go?
>> >
>> > Thanks for any clarification!
>> >
>>
>> No, this is not normal. Does local_rules.xml revert to the default state?
>> Do you have a configuration management system that could be interfering?
>>
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an

>> > email to ossec-list+...@googlegroups.com.

>> > For more options, visit https://groups.google.com/d/optout.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to a topic in the
>> Google Groups "ossec-list" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/ossec-list/ryOwPYjp2PI/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to

>> ossec-list+...@googlegroups.com.

>> For more options, visit https://groups.google.com/d/optout.
>
>
> --
>
> ---

> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to ossec-list+...@googlegroups.com.

[Derek Day]

i'll try that. Thanks for the advice.

>> > email to ossec-list+unsubscribe@googlegroups.com.

>> > For more options, visit https://groups.google.com/d/optout.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to a topic in the
>> Google Groups "ossec-list" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/ossec-list/ryOwPYjp2PI/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to

>> ossec-list+unsubscribe@googlegroups.com.

>> For more options, visit https://groups.google.com/d/optout.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to ossec-list+unsubscribe@googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.

--

---
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/ryOwPYjp2PI/unsubscribe.

To unsubscribe from this group and all its topics, send an email to ossec-list+unsubscribe@googlegroups.com.

[Derek Day]

Just an update in case anyone else does the same thing. Dan's advice was correct. Add the rule you wish to add to the master server and not directly to the sensor and it will propagate out. Not sure why I didn't think of that to begin with.

Thank you Dan

[Jim Clausing]

One thing I've noticed is that the .deb packages from wazuh overwrite
local_rules.xml (they may be uninstalling the old and then installing the
new rather than just processing it as an update, not entirely sure and it
hasn't been important enough for me to track down because I have the
following workaround), fortunately, I have been able to get it back from
my rules backup archive.

--
Jim Clausing
GIAC GSE #26, CISSP
GPG Fingerprint = A507 774A 39D6 A702 9F7C 8808 3D13 77B8 AACD 848D

On or about Wed, 31 Aug 2016, Derek Day pontificated thusly:

> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.