[ossec-list] Re: Server - Agent Rule Relationship

["Daniel Cid" <daniel.cid@xxxxxxxxx>]

Hi Clayton,

Within the ossec model, the agents have no information about rules
whatsoever. So, if
you need to modify a rule, you need to do it on the server side.

How do you do it? If you have a rule like that (from our FAQ):

<group name="local">
 <rule id="100101" level="0">
   <if_sid>123, 456</if_sid>
   <match>xyz</match>
   <description>Events ignored</description>
 </rule>
</group>

But you only want it to apply to one agent, you need to use the "hostname" tag
to limit it to the agents you want:

<group name="local">
 <rule id="100101" level="0">
   <if_sid>123, 456</if_sid>
   <match>xyz</match>
   <hostname>agent1|agent2</hostname>
   <description>Events ignored</description>
 </rule>
</group>

Hope it helps.

*http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules

--
Daniel B. Cid
dcid ( at ) ossec.net

On 7/24/07, Clayton Dillard <cdillard@xxxxxxxxxxxxxxxxx> wrote:
>
>  I'm a bit fuzzed on the relationship between the server and agents with respect to rule processing.  I have an OSSEC server with several agents connected.  If I want to make a change to a rule that affects a given host, do I make the change on the server or the host(s)?
>
>  Thanks,
>
>   --
>  Clayton Dillard <cdillard@xxxxxxxxxxxxxxxxx>
>  RPS Technology, LLC