Hi, ossec maintains an internal database with the number of events per agent and if an agent exceed that number of events, it fires an alert. Basically you can use that alert to discover extrange activity on servers. I have mail servers with high load all the time firing that alert :)
Greetings Bradley Radjoo wrote: > Hello there, > > They are events. > > On 25 Mar 2010, at 2:48 PM, Iñaki R. wrote: > >> Hi Bradley, >> >> logs or events? I never saw that message with number of log files but >> with number of events. >> >> Greetings >> >> Bradley Radjoo wrote: >>> Greetings, >>> >>> I noticed something yesterday on all this OSSEC e-mail notifications. >>> >>> A mail said there were excessive logs in /var/log/<something> - like 2000+ >>> logs when the average was 1000 between blah and bleh >>> >>> I looked in the log. That hour had like 50 logs. >>> >>> So, what exactly does OSSEC count to get these numbers and what does the >>> number mean? >>> >>> Regards, >>> Bradley >>> Please note: This email and its content are subject to the disclaimer as >>> displayed at the following link >>> http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Disclaimer.htm. >>> Should you not have Web access, send an email to [email protected] >>> <mailto:[email protected]> and a copy will be sent to you. >>> >>> To unsubscribe from this group, send email to >>> ossec-list+unsubscribegooglegroups.com or reply to this email with the >>> words "REMOVE ME" as the subject. >> To unsubscribe from this group, send email to >> ossec-list+unsubscribegooglegroups.com or reply to this email with the words >> "REMOVE ME" as the subject. > > ----- > > Regards, > > Bradley Radjoo > Infrastructure Services > Internet Solutions > 087 365 0664 (Phone) > 011 576 0664 (Fax) > > Anyone who has never made a mistake has never tried anything new. — Albert > Einstein. > > > > > > Please note: This email and its content are subject to the disclaimer as > displayed at the following link > http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Disclaimer.htm. > Should you not have Web access, send a mail to [email protected] and a > copy will be emailed to you. > > To unsubscribe from this group, send email to > ossec-list+unsubscribegooglegroups.com or reply to this email with the words > "REMOVE ME" as the subject. To unsubscribe from this group, send email to ossec-list+unsubscribegooglegroups.com or reply to this email with the words "REMOVE ME" as the subject.
