Michael Starks wrote: > If you are experiencing a performance problem with this it might be a > bug. OSSEC is designed to evaluate logs in a tree-like fashion. It > should only check as many decoders and rules it needs to (maybe 3 or 4) > for each log before it stops and decided to continue on. Theoretically, > it should have no problem with tens of thousands of rules.
Not performance.. My example would be the current pure-ftpd decoders. For whatever reason, they're matching apache log entries. I don't use pure, so it was simple enough to disable that. But I can imagine that there may be other situations where some decoders will match similar logs. If that happens, then the proper rules may not fire. -- --------------------------- Jason 'XenoPhage' Frisvold [email protected] --------------------------- "Any sufficiently advanced magic is indistinguishable from technology.\" - Niven's Inverse of Clarke's Third Law -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
