I stopped them all (which appeared to work fine) and start again. Here is
the rule and decoder I made for this (I want to alert only once if the same
ID (filepath) has alerted in the past minute):
510
This is meant to reduce noise as these events happen in
batches with not
On Wed, Apr 5, 2017 at 3:44 PM, Rob Williams wrote:
> Yes I have, I've also tried to disable all the relevant changes I've made,
> restart, and still have the same issue.
>
Try stopping the ossec processes, verify that ossec-analysisd has
stopped (sometimes it doesn't
Yes I have, I've also tried to disable all the relevant changes I've made,
restart, and still have the same issue.
On Wednesday, April 5, 2017 at 12:39:42 PM UTC-7, dan (ddpbsd) wrote:
>
> On Wed, Apr 5, 2017 at 3:26 PM, Rob Williams > wrote:
> > Hi all,
> >
> > I'm
On Wed, Apr 5, 2017 at 3:26 PM, Rob Williams wrote:
> Hi all,
>
> I'm running into an issue where rule 510 is triggering and I'm getting
> spammed with alerts but I can't seem to tune it correctly. What's weird is
> that I am still getting alerted for rule 510 for this
Hi all,
I'm running into an issue where rule 510 is triggering and I'm getting
spammed with alerts but I can't seem to tune it correctly. What's weird is
that I am still getting alerted for rule 510 for this log, but I can't
figure out how to get that to show in logtest. Basically, I am
Hi all,
I'm running into an issue where rule 510 is triggering and I'm getting
spammed with alerts but I can't seem to tune it correctly. What's weird is
that I am still getting alerted for rule 510 for this log, but I can't
figure out how to get that to show in logtest. Basically, I am
Hello Victor,
I tried to run a second manager and I've the same file
/var/ossec/etc/client.keys
on it and on the first manager. I've copied the local_rules, ossec.conf,
local_decoder as well.
And I've specified on the agents to listen on him as you told me ;
10.0.0.1 10.0.0.2
My first
I'm not server if this is a problem with the OSSEC configuration or the
host itself, but there are some events where the logs or full message only
have some of the information I need. For example, this will be the full
message I receive (2016-02-03 14:16:35 status installed some_package). The
Hello,
I have alerts coming in huge batches for rule 510. The batches of alerts
are essentially all the same event and the file path of the area that's
causing this is essentially identical in each batch except for the last
file. I'm trying to setup a rule that would look at the ID I setup in