On Fri, Mar 21, 2014 at 3:32 PM, Jason Frisvold <[email protected]> wrote: > Michael Starks wrote: >> If you are experiencing a performance problem with this it might be a >> bug. OSSEC is designed to evaluate logs in a tree-like fashion. It >> should only check as many decoders and rules it needs to (maybe 3 or 4) >> for each log before it stops and decided to continue on. Theoretically, >> it should have no problem with tens of thousands of rules. > > Not performance.. My example would be the current pure-ftpd decoders. > For whatever reason, they're matching apache log entries. I don't use > pure, so it was simple enough to disable that. But I can imagine that > there may be other situations where some decoders will match similar > logs. If that happens, then the proper rules may not fire. >
Apache logs are being labeled as pure-ftpd logs? Would you mind adding an issue to the github for this? > > -- > --------------------------- > Jason 'XenoPhage' Frisvold > [email protected] > --------------------------- > > "Any sufficiently advanced magic is indistinguishable from technology.\" > - Niven's Inverse of Clarke's Third Law > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
