On Sun, Jul 10, 2011 at 4:26 PM, Jason Frisvold wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On Jul 9, 2011, at 1:28 PM, jplee3 wrote:
>> Turns out that you need to have it set to be logged, so level 1 or
>> higher otherwise the if_matched_sid frequency will never fire - seems
>> l
Yes, when the event is classified as a level 0, it is discarded
automatically (if no child rule matches). So if you want to correlate
it, you need to increase the severity... You can also add the no_log
option to make sure it doesn't get logged.
thanks,
On Sun, Jul 10, 2011 at 5:26 PM, Jason Fri
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Jul 9, 2011, at 1:28 PM, jplee3 wrote:
> Turns out that you need to have it set to be logged, so level 1 or
> higher otherwise the if_matched_sid frequency will never fire - seems
> like it's depending on the alert being logged in order to properly
Turns out that you need to have it set to be logged, so level 1 or
higher otherwise the if_matched_sid frequency will never fire - seems
like it's depending on the alert being logged in order to properly
function.
On Jul 7, 10:19 am, Jeremy Lee wrote:
> Thanks for the suggestion. I tried this out
Thanks for the suggestion. I tried this out briefly and it doesn't seem to
work. The rule that triggers is the upper but I never saw the lower trigger.
On Thu, Jul 7, 2011 at 10:07 AM, Jason 'XenoPhage' Frisvold <
xenoph...@godshell.com> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 07/06/2011 08:15 PM, jplee3 wrote:
> One other question I have regarding frequency rules and hierarchy. We
> currently have two frequency rules setup to trigger against a parent
> rule where the difference is the frequencies - one is set to trigger
Hmm, so I stumbled across this thread:
http://www.mail-archive.com/ossec-list@googlegroups.com/msg04619.html
And it sounds like at least one other person ran into the same issue.
We had to enable a log level of 1 in order to get things working as it
seems a log level of 0 does not work in conjunc
