There is a paper describing how to do this with Nagios here:
http://www.cs.umb.edu/~rouilj/sec/sec_paper_full.pdf . Perhaps
looking at what they do can help.
On 12/15/2010 10:44 AM, Christopher Moraes wrote:
Hi,
I have the exact same deployment
Hi,
I have the exact same deployment scenario (ossec running off a syslog-ng
centralized log) and requirement. i.e. to identify if some servers/devices
stop logging.
Ossec does not support this by default, but I'm thinking of using the
active-response feature to do this.
What I *plan* to do is -
There should be an alert for when there are more messages than
average, but nothing that I know of for not receiving any messages.
On Wed, Dec 15, 2010 at 5:30 AM, NewRules wrote:
> Hi,
>
> I'm using ossec as a log corellator.
> For log centralization I'm using syslog-ng (for formatting features)
Hi,
I'm using ossec as a log corellator.
For log centralization I'm using syslog-ng (for formatting features),
thus im'not using ossec agents for log collection.
I wanna know if there is any option to set an alert when no logs or an
unusual amount of log from a certain host is noticed.
The probl
