Hi.
In normal operation, OSSEC connects once, on startup, and closes the socket
on exiting. But, for the behavior of UDP, there isn't an actual
"connection", instead of this, every datagram is independent of the rest.
Maybe this is the reason why the firewall considers every delivery as a
Hi,
Unfortunately windows audit (EventLog configuration) has not specific
configuration,
If audit of windows firewall event is enable, all of firewall
events (chrome, internet explorer, ping, etc) is logged. (So we *cannot
exclude OSSEC firewall events*)
If audit of windows
Hi Abdulvehhab.
It has sense, it falls into a infinite recursivity, But it's a bit
difficult to store some messages and send them to the server since the
protocol consists on one datagram per message. Even if the agent stores
some messages and sends all of them at a time, the firewall would
At this time (sending per event immediately) *lots of* producing 5156
Windows Firewall Event:
The Windows Filtering Platform has permitted a connection.
Application Information: Process ID:0 Application Name:\program files
(x86)\ossec-agent\ossec-agent.exe
Network Information:
On Wed, Jun 8, 2016 at 12:48 PM, Abdulvehhab Agin wrote:
> Hi,
>
> I am looking for optimization sending windows events log. My systems
> generate too much windows events.
>
> I analysed network traffic via wireshark, OSSEC generates too much open
> connection and send logs
Hi,
I am looking for optimization sending windows events log. My systems
generate too much windows events.
I analysed network traffic via wireshark, OSSEC generates too much open
connection and send logs (about 40 /peer second)
Thus,
I don't want to connect ossec server for per event. Is