I stopped them all (which appeared to work fine) and start again. Here is
the rule and decoder I made for this (I want to alert only once if the same
ID (filepath) has alerted in the past minute):
510
This is meant to reduce noise as these events happen in
batches with not much
On Wed, Apr 5, 2017 at 3:44 PM, Rob Williams wrote:
> Yes I have, I've also tried to disable all the relevant changes I've made,
> restart, and still have the same issue.
>
Try stopping the ossec processes, verify that ossec-analysisd has
stopped (sometimes it doesn't and causes issues), and star
Yes I have, I've also tried to disable all the relevant changes I've made,
restart, and still have the same issue.
On Wednesday, April 5, 2017 at 12:39:42 PM UTC-7, dan (ddpbsd) wrote:
>
> On Wed, Apr 5, 2017 at 3:26 PM, Rob Williams > wrote:
> > Hi all,
> >
> > I'm running into an issue wher
On Wed, Apr 5, 2017 at 3:26 PM, Rob Williams wrote:
> Hi all,
>
> I'm running into an issue where rule 510 is triggering and I'm getting
> spammed with alerts but I can't seem to tune it correctly. What's weird is
> that I am still getting alerted for rule 510 for this log, but I can't
> figure ou
Hi all,
I'm running into an issue where rule 510 is triggering and I'm getting
spammed with alerts but I can't seem to tune it correctly. What's weird is
that I am still getting alerted for rule 510 for this log, but I can't
figure out how to get that to show in logtest. Basically, I am getting
Hi all,
I'm running into an issue where rule 510 is triggering and I'm getting
spammed with alerts but I can't seem to tune it correctly. What's weird is
that I am still getting alerted for rule 510 for this log, but I can't
figure out how to get that to show in logtest. Basically, I am getting
Hello Victor,
I tried to run a second manager and I've the same file
/var/ossec/etc/client.keys
on it and on the first manager. I've copied the local_rules, ossec.conf,
local_decoder as well.
And I've specified on the agents to listen on him as you told me ;
10.0.0.1 10.0.0.2
My first man
I'm not server if this is a problem with the OSSEC configuration or the
host itself, but there are some events where the logs or full message only
have some of the information I need. For example, this will be the full
message I receive (2016-02-03 14:16:35 status installed some_package). The
e
Hello,
I have alerts coming in huge batches for rule 510. The batches of alerts
are essentially all the same event and the file path of the area that's
causing this is essentially identical in each batch except for the last
file. I'm trying to setup a rule that would look at the ID I setup in m