Okay. I look for the fix eventually. Thanks for the info. On Mar 5, 2009, at 10:54 AM, Daniel Cid wrote:
> > Hey, > > This is a bug, so just ignore for now. You can set <stats> to 2 (or 0 > to completely disable) in your > ossec.conf to avoid getting those. I will make a fix for it on the > next snapshot... > > *the ossec-keepalive is an internal message between the agent/server > to check if they are alive, so > they shouldn't be count in the stats. > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > > > On Thu, Mar 5, 2009 at 1:02 PM, cryogen <[email protected]> wrote: >> >> Greetings, >> >> I saw this in the alerts list this morning. I've seen alerts like >> this before, but the thing that caught my eye was the ossec-keepalive >> line: >> >> 2009 Mar 05 08:35:51 Rule Id: 11 level: 8 >> Location: (agent) 10.0.0.2->ossec-keepalive >> Excessive number of events (above normal). >> The average number of logs between 8:00 and 9:00 is 308. We >> reached 559. >> >> Could someone enlighten me as to what ossec-keepalive is and why it's >> creating a lot of events? Has anyone seen this before? >> >> --cryogen >>
PGP.sig
Description: This is a digitally signed message part
