Has there been any further thought on this issue? I am in the same boat.
On Wednesday, September 14, 2016 at 12:43:56 AM UTC-5, Vilius wrote:
>
> Jesus,
>
> when question is should I send alert into the void or into archive, there
> are cases when archiving is a better option.
>
> Vilius
>
> On
My bad - I should have explained "bind" a bit more. This is actually part
of the FUSE filesystem (http://bindfs.org)
You will need to install fuse utils and Userspace programs -- example:
#yum search fuse
*fuse*.x86_64 : File System in Userspace (*FUSE*) utilities
I could write it all up --
Hey!
I know it's quite an old thread, but any chance you remember how to fix
this? I have an old/important Ossec server with too many Invalid Ids. Any
way I can filter the dead clients and remove them?
On Saturday, 8 December 2012 03:49:21 UTC+5:30, Brenden Walker wrote:
>
> On Fri, 7 Dec 201
On Thu, Jan 5, 2017 at 11:07 AM, Lisa Li wrote:
> As an update, some incomplete rsyslog related alerts are seen so that makes
> me ask if my issue is related to decoders or even rules. These alerts are
> generated by server-1 and not its 100 clients. Client alerts are not seen at
> all on central,
On Tue, Jan 24, 2017 at 2:12 PM, Kat wrote:
> There is a work-around which I have used.
> Dan is correct - you can't get to the folder outside of the chroot-ed jail.
> You can however, bring the folder in via:
>
> mount --bind /var/ossec/logs /data/logs/ossec
>
> The trick is to bind the directory
On Wed, Jan 25, 2017 at 6:00 AM, Bertrand Danos wrote:
> Hello Dan,
>
> Thanks for the option.
>
> I failed to used it.
> Here is what's I did :
>
> * Edit file etc/ossec.conf
> * Add in the line : my_rules.xml
>
> * File rules/my_rules.xml :
>>
>>
>>
>>
>> 2501
>> 19:00 - 07:00
>>
Hello Dan,
Thanks for the option.
I failed to used it.
Here is what's I did :
* Edit file etc/ossec.conf
* Add in the line : my_rules.xml
* File rules/my_rules.xml :
>
>
>
> 2501
> 19:00 - 07:00
> Not allowed time slot
>
>
>
>
>
I've tested the following messages with
