Hi Worawit, The "no_log" option means do not log (in archives or alerts log) at all. The reason we do that with firewall logs is because they are already logged (in a normalized way) at /var/ossec/logs/firewall/firewall.log
Hope it helps to clarify. -- Daniel B. Cid dcid ( at ) ossec.net On 5/20/07, Worawit Wang <[EMAIL PROTECTED]> wrote: > Hi Daniel, > > I have a problem about no_log option. > > I found "Multiple Firewall drop events from same source" (rule id 4151 in > firewall_rules.xml) alert but no "Firewall drop event" (rule id 4101) in > alerts.log. When removing "<options>no_log</options>" line in rule id 4101, > there are "Firewall drop event" alerts. > > In my opinion, no_log means log will not be logged in archives.log only. But > I found no_log means log will not be logged in archives.log and alerts.log. > > What does it really mean? or I messed up someting??? > > Thanks, > Worawit >
