Re: [ossec-list] Re: Rule fired but active-response didn't work

On Mon, Jul 3, 2017 at 10:26 PM, Tunguyen wrote: > I've checked the ossec.conf on server side and agent side, those are all the > same as yours > Here is the agent side: > > 20,40,60 > > > And the server side is same as above, except that i add > like this: >

Re: [ossec-list] OSSEC rule match time and timeframe

On Fri, Jul 7, 2017 at 6:11 AM, Jesus Linares wrote: > I never used it: > http://ossec-docs.readthedocs.io/en/latest/syntax/head_rules.html#element-time > > I think is the time when the event comes to the manager (not the original > time). > Oh, ok. Obviously I have never used

Re: [ossec-list] Re: OSSEC log analysis settings for apache access/error.log

On Fri, Jul 7, 2017 at 4:15 AM, Kazim Koybasi wrote: > Yes OSSEC mentioning about log files and says analyzing log file. I tried > with apache log format and without logformat settings and results is > same.What could be a workaround for that? > Provide a log sample of a

Re: [ossec-list] Throttling of events in OSSEC

On Fri, Jul 7, 2017 at 8:07 AM, chintan shah wrote: > Hi Guys , > > Just wanted to check if anybody has an idea on how to throttle the events in > OSSEC . I have a situation where there are 20 duplicate alerts within a > second and I would want to raise only 1 alert for

Re: [ossec-list] Integration with MS SCCM

On Fri, Jul 7, 2017 at 8:10 AM, Irshad Rahimbux wrote: > I have did all the configuration in ms-sccm.cfg [existing file in plugin > folder]. > That must be an OSSIM thing. Unrelated to OSSEC. > But still dont see anything in alerts.log. > Turn on the logall option,