On Mon, Apr 22, 2013 at 11:26 AM, Michiel van Es <[email protected]> wrote: > Hello, > > We have found out that we had an Apache webserver showing its has reached > the MaxClients settings. > We could not find the message back in our Splunk interface so I copy/paste > the message into /var/ossec/bin/ossec-logtest and found out that it is being > silenced by the apache_rules.xml rule. > See pastebin: http://pastebin.com/58J8FitT > > We are now not seeing this message. > > Is there a reason why these kind of messages (since it is a grouped message) > are set to level 0 by default? >
The message grouping rules are there to help you build other, more specific rules. There would be a lot of noise if we set these to a higher level. My best advice would be to write more specific rules as children to the grouping rules. > Is there an easy way to overrule this setting in local_rules.xml to make > sure these messages are logged? > If you really want to do it, use the overwrite option. > Thanks for any help. > > Michiel > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
