Hi Is there a way to write a rule where OSSEC would wait a bit and then report updated packages? I have a problem whenever a machine is being updated, OSSEC sends massive number of emails with information about updated packages (I use CentOS and yum).
I tried something like this: <rule id="330991" level="5"> <if_sid>2933</if_sid> <options>no_log</options> <description>Yum package updated</description> </rule> <rule id="330999" level="7" frequency="1" timeframe="300"> <if_matched_sid>330991</if_matched_sid> <description>Multiple yum packages installed.</description> </rule> But that's not it... It won't report one or two packages updated (because of frequency) and it won't group more than 3 log enteries in one alert. So I would basically like for OSSEC to report even if only one package is updated/erased/installed, but also if there is a mass update going on then to send one email of all packages updated in some timeframe, for example 5 minutes. I didn't try this: <rule id="330999" level="7" timeframe="600"> because documentation says timeframe goes with frequency. Maybe it can work standalone? -- Jakov Sosic www.srce.unizg.hr