I think ignore="7200" means after rule 531 is triggered for the first time, it will not be triggered again for at least 7200 seconds. This means at most you will get 531 alerts every 2 hours. The first alert should not be delayed.
On Thursday, August 8, 2013 10:57:11 AM UTC-7, David Blanton wrote: > > I've been playing around with logfile commands, active-response, and the > rules associated with them. > > For <localfile> <log_format>command</log_format> <command>df -h</command> > </localfile> and noticed that the 531 rule > > associated with it has an ignore="7200" within the rule. Would that mean > that there is a delay of 7200 seconds before an alert is prompted > > if the partition reaches the hard drive space % that is noted? What is the > reasoning behind this delay, and what is the 'flooding' that the ossec > > manual mentions if this ignore is that there? How does the 7200 second > ignore prevent the flooding? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
