Re: [ossec-list] OSSEC rule match time and timeframe
On Fri, Jul 7, 2017 at 6:11 AM, Jesus Linareswrote: > I never used it: > http://ossec-docs.readthedocs.io/en/latest/syntax/head_rules.html#element-time > > I think is the time when the event comes to the manager (not the original > time). > Oh, ok. Obviously I have never used it either. > On Thursday, July 6, 2017 at 3:46:49 AM UTC+2, dan (ddpbsd) wrote: >> >> On Mon, Jul 3, 2017 at 6:10 AM, Fredrik Hilmersson >> wrote: >> > Hello, >> > >> > Lets say I have a script which runs once every half an hour. With a >> > latency >> > difference in about 10-20 seconds. >> > Would it be possible to match the following: >> > >> > 1. Time >> > 2. Hostname >> > 3. Username >> > >> > The reason I prefer more than a single match, i.e only time is to not by >> > mistake miss an actual event. >> > >> > >> > >> > 5501 >> > **:30 >> > >> > agent-hostname >> > ssh-user >> > >> > no_email_alert >> > >> > Ignore rule 5501 for host >> > >> > >> > >> >> Where do you plan on getting the time from? The timestamp in the logs >> are stripped off and not evaluated. >> >> > >> > Kind regards, >> > Fredrik >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC rule match time and timeframe
I never used it: http://ossec-docs.readthedocs.io/en/latest/syntax/head_rules.html#element-time I think is the time when the event comes to the manager (not the original time). On Thursday, July 6, 2017 at 3:46:49 AM UTC+2, dan (ddpbsd) wrote: > > On Mon, Jul 3, 2017 at 6:10 AM, Fredrik Hilmersson >wrote: > > Hello, > > > > Lets say I have a script which runs once every half an hour. With a > latency > > difference in about 10-20 seconds. > > Would it be possible to match the following: > > > > 1. Time > > 2. Hostname > > 3. Username > > > > The reason I prefer more than a single match, i.e only time is to not by > > mistake miss an actual event. > > > > > > > > 5501 > > **:30 > > > > agent-hostname > > ssh-user > > > > no_email_alert > > > > Ignore rule 5501 for host > > > > > > > > Where do you plan on getting the time from? The timestamp in the logs > are stripped off and not evaluated. > > > > > Kind regards, > > Fredrik > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC rule match time and timeframe
On Mon, Jul 3, 2017 at 6:10 AM, Fredrik Hilmerssonwrote: > Hello, > > Lets say I have a script which runs once every half an hour. With a latency > difference in about 10-20 seconds. > Would it be possible to match the following: > > 1. Time > 2. Hostname > 3. Username > > The reason I prefer more than a single match, i.e only time is to not by > mistake miss an actual event. > > > > 5501 > **:30 > > agent-hostname > ssh-user > > no_email_alert > > Ignore rule 5501 for host > > > Where do you plan on getting the time from? The timestamp in the logs are stripped off and not evaluated. > > Kind regards, > Fredrik > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.