Hey, This is a bug, so just ignore for now. You can set <stats> to 2 (or 0 to completely disable) in your ossec.conf to avoid getting those. I will make a fix for it on the next snapshot...
*the ossec-keepalive is an internal message between the agent/server to check if they are alive, so they shouldn't be count in the stats. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Thu, Mar 5, 2009 at 1:02 PM, cryogen <[email protected]> wrote: > > Greetings, > > I saw this in the alerts list this morning. I've seen alerts like > this before, but the thing that caught my eye was the ossec-keepalive > line: > > 2009 Mar 05 08:35:51 Rule Id: 11 level: 8 > Location: (agent) 10.0.0.2->ossec-keepalive > Excessive number of events (above normal). > The average number of logs between 8:00 and 9:00 is 308. We reached 559. > > Could someone enlighten me as to what ossec-keepalive is and why it's > creating a lot of events? Has anyone seen this before? > > --cryogen >
