On 2014-03-21 11:57, Jason Frisvold wrote:
Michael Starks wrote:
OSSEC should be useful out of the box. It should ship with a default
ruleset like AV ships with DATs that are current at that time, then
updates as new rules are written or updated.
I think the analogy you use is only partially true, though. Because of
how OSSEC currently works, there are problems with having all of the
decoders and rules active at the same time. Some logs look just like
others, even though they need to be treated differently.
If you are experiencing a performance problem with this it might be a
bug. OSSEC is designed to evaluate logs in a tree-like fashion. It
should only check as many decoders and rules it needs to (maybe 3 or 4)
for each log before it stops and decided to continue on. Theoretically,
it should have no problem with tens of thousands of rules.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
