Re: [ossec-list] OSSEC rule match time and timeframe

[dan (ddp)]

On Fri, Jul 7, 2017 at 6:11 AM, Jesus Linares  wrote:
> I never used it:
> http://ossec-docs.readthedocs.io/en/latest/syntax/head_rules.html#element-time
>
> I think is the time when the event comes to the manager (not the original
> time).
>

Oh, ok. Obviously I have never used it either.

> On Thursday, July 6, 2017 at 3:46:49 AM UTC+2, dan (ddpbsd) wrote:
>>
>> On Mon, Jul 3, 2017 at 6:10 AM, Fredrik Hilmersson
>>  wrote:
>> > Hello,
>> >
>> > Lets say I have a script which runs once every half an hour. With a
>> > latency
>> > difference in about 10-20 seconds.
>> > Would it be possible to match the following:
>> >
>> > 1. Time
>> > 2. Hostname
>> > 3. Username
>> >
>> > The reason I prefer more than a single match, i.e only time is to not by
>> > mistake miss an actual event.
>> >
>> > 
>> >
>> >  5501
>> >  **:30
>> >
>> >  agent-hostname
>> >  ssh-user
>> >
>> >  no_email_alert
>> >
>> >  Ignore rule 5501 for host 
>> >
>> > 
>> >
>>
>> Where do you plan on getting the time from? The timestamp in the logs
>> are stripped off and not evaluated.
>>
>> >
>> > Kind regards,
>> > Fredrik
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC rule match time and timeframe

[Jesus Linares]

I never used 
it: 
http://ossec-docs.readthedocs.io/en/latest/syntax/head_rules.html#element-time

I think is the time when the event comes to the manager (not the original 
time).

On Thursday, July 6, 2017 at 3:46:49 AM UTC+2, dan (ddpbsd) wrote:
>
> On Mon, Jul 3, 2017 at 6:10 AM, Fredrik Hilmersson 
>  wrote: 
> > Hello, 
> > 
> > Lets say I have a script which runs once every half an hour. With a 
> latency 
> > difference in about 10-20 seconds. 
> > Would it be possible to match the following: 
> > 
> > 1. Time 
> > 2. Hostname 
> > 3. Username 
> > 
> > The reason I prefer more than a single match, i.e only time is to not by 
> > mistake miss an actual event. 
> > 
> >  
> > 
> >  5501 
> >  **:30 
> > 
> >  agent-hostname 
> >  ssh-user 
> > 
> >  no_email_alert 
> > 
> >  Ignore rule 5501 for host  
> > 
> >  
> > 
>
> Where do you plan on getting the time from? The timestamp in the logs 
> are stripped off and not evaluated. 
>
> > 
> > Kind regards, 
> > Fredrik 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC rule match time and timeframe

[dan (ddp)]

On Mon, Jul 3, 2017 at 6:10 AM, Fredrik Hilmersson
 wrote:
> Hello,
>
> Lets say I have a script which runs once every half an hour. With a latency
> difference in about 10-20 seconds.
> Would it be possible to match the following:
>
> 1. Time
> 2. Hostname
> 3. Username
>
> The reason I prefer more than a single match, i.e only time is to not by
> mistake miss an actual event.
>
> 
>
>  5501
>  **:30
>
>  agent-hostname
>  ssh-user
>
>  no_email_alert
>
>  Ignore rule 5501 for host 
>
> 
>

Where do you plan on getting the time from? The timestamp in the logs
are stripped off and not evaluated.

>
> Kind regards,
> Fredrik
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.