Local Rule Update Ignored

[Randy]

I am new to OSSEC. I made changes to local_rules.xml, which seemed to
work. When I when back and made other changes that should have negated
some of the original ones, they never seemed to take effect. I have a
rule that is showing up in alert.log that was in the original changed
local_rules file, that does not now exist anywhere in it. The original
changes were made over a week ago and the second round the next day. I
have restarted OSSEC on the "main" server several times.

What am I missing that will allow the rule changes to take effect?

Thanks in advance.

Randy

[Endy]

I seem to have the same problem. Can someone help on this? Thanks.

Endy

[dan (ddp)]

There is nothing that caches this information. If you change the file
and successfully restart the ossec processes on the manager, there is
no reason the old behavior should continue.
Without more information I don't think I can help much more.

[Randy.H Smith]

You just did. I didn't think to check the processes. I had one set that was being controlled by ossec-control, starting and stopping as they should, but a second set that the command was not affecting. I've asked the SA to kill the extra processes and then should be able to restart "for real".

 

Thanks for the response.

 

Randy

>>> "dan (ddp)" <ddp...@gmail.com> 3/28/2011 2:04 PM >>>

[Randy.H Smith]

The SA killed those extra processes and when I started OSSEC from scratch it did update the rules. So all is now well.

 

Thanks again, dan.

 

Randy

>>> "dan (ddp)" <ddp...@gmail.com> 3/28/2011 2:04 PM >>>

[Endy]

Very helpful. Our problem was also solved by killing all ossec
processes and restart the Ossec-control. Thanks a lot.

Endy