Hi Clayton, Within the ossec model, the agents have no information about rules whatsoever. So, if you need to modify a rule, you need to do it on the server side. How do you do it? If you have a rule like that (from our FAQ): <group name="local"> <rule id="100101" level="0"> <if_sid>123, 456</if_sid> <match>xyz</match> <description>Events ignored</description> </rule> </group> But you only want it to apply to one agent, you need to use the "hostname" tag to limit it to the agents you want: <group name="local"> <rule id="100101" level="0"> <if_sid>123, 456</if_sid> <match>xyz</match> <hostname>agent1|agent2</hostname> <description>Events ignored</description> </rule> </group> Hope it helps. *http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules -- Daniel B. Cid dcid ( at ) ossec.net On 7/24/07, Clayton Dillard <cdillard@xxxxxxxxxxxxxxxxx> wrote: > > I'm a bit fuzzed on the relationship between the server and agents with respect to rule processing. I have an OSSEC server with several agents connected. If I want to make a change to a rule that affects a given host, do I make the change on the server or the host(s)? > > Thanks, > > -- > Clayton Dillard <cdillard@xxxxxxxxxxxxxxxxx> > RPS Technology, LLC
|
Clayton Dillard Director, Information Technology Tel: 919-319-4301 x205 Cell: 919-414-0265 Fax: 919-882-8261 RPS Technology, LLC "World's best in SugarCRM consulting, custom development and managed hosting" Visit us at http://www.rpstechnology.com or contact our sales team today at sales@xxxxxxxxxxxxxxxxx! The information in this e-mail, and any attachment therein, is confidential and for use by the addressee only. If you are not the intended recipient, please return the e-mail to the sender and delete it from your computer. Although RPS Technology attempts to sweep e-mail and attachments for viruses, it does not guarantee that either are virus-free and accepts no liability for any damage sustained as a result of viruses. |