Re: [ossec-list] Rule 510 is triggering events but logtest is not showing any rules that should be triggered

I stopped them all (which appeared to work fine) and start again. Here is the rule and decoder I made for this (I want to alert only once if the same ID (filepath) has alerted in the past minute): 510 This is meant to reduce noise as these events happen in batches with not

Re: [ossec-list] Rule 510 is triggering events but logtest is not showing any rules that should be triggered

On Wed, Apr 5, 2017 at 3:44 PM, Rob Williams wrote: > Yes I have, I've also tried to disable all the relevant changes I've made, > restart, and still have the same issue. > Try stopping the ossec processes, verify that ossec-analysisd has stopped (sometimes it doesn't

Re: [ossec-list] Rule 510 is triggering events but logtest is not showing any rules that should be triggered

Yes I have, I've also tried to disable all the relevant changes I've made, restart, and still have the same issue. On Wednesday, April 5, 2017 at 12:39:42 PM UTC-7, dan (ddpbsd) wrote: > > On Wed, Apr 5, 2017 at 3:26 PM, Rob Williams > wrote: > > Hi all, > > > > I'm

Re: [ossec-list] Rule 510 is triggering events but logtest is not showing any rules that should be triggered

On Wed, Apr 5, 2017 at 3:26 PM, Rob Williams wrote: > Hi all, > > I'm running into an issue where rule 510 is triggering and I'm getting > spammed with alerts but I can't seem to tune it correctly. What's weird is > that I am still getting alerted for rule 510 for this

[ossec-list] Rule 510 is triggering events but logtest is not showing any rules that should be triggered

Hi all, I'm running into an issue where rule 510 is triggering and I'm getting spammed with alerts but I can't seem to tune it correctly. What's weird is that I am still getting alerted for rule 510 for this log, but I can't figure out how to get that to show in logtest. Basically, I am

[ossec-list] Alert for rule 510 is being generated, but logtest is not showing that any alert should be generated.

Hi all, I'm running into an issue where rule 510 is triggering and I'm getting spammed with alerts but I can't seem to tune it correctly. What's weird is that I am still getting alerted for rule 510 for this log, but I can't figure out how to get that to show in logtest. Basically, I am

Re: [ossec-list] Redundancy manager (backup)

Hello Victor, I tried to run a second manager and I've the same file /var/ossec/etc/client.keys on it and on the first manager. I've copied the local_rules, ossec.conf, local_decoder as well. And I've specified on the agents to listen on him as you told me ; 10.0.0.1 10.0.0.2 My first

[ossec-list] When doing rootchecks, OSSEC does not get the full information for the log

I'm not server if this is a problem with the OSSEC configuration or the host itself, but there are some events where the logs or full message only have some of the information I need. For example, this will be the full message I receive (2016-02-03 14:16:35 status installed some_package). The

[ossec-list] OSSEC Rule to alert on the first event, but ignore the rest for a 5 minute period.

Hello, I have alerts coming in huge batches for rule 510. The batches of alerts are essentially all the same event and the file path of the area that's causing this is essentially identical in each batch except for the last file. I'm trying to setup a rule that would look at the ID I setup in