understood...hmmmmm Thanks for the feedback ;-) I did a check on some of the most recent alerts:
grep "Mar 25 10" messages | wc or some such. The number that came back was slightly more than what the alert said. So that means that OSSEC was counting log entries for the hour and sent the alert when the number was much more than the average. It doesn't have to count everything for the full hour to see that. I'm more curious about the case where it says there were X entries in a file, and that file has way less than X. I suppose it could happen if the log was rotated while being scanned. ----- Regards, Bradley Radjoo Anyone who has never made a mistake has never tried anything new. — Albert Einstein. On 25 Mar 2010, at 8:16 PM, Iñaki R. wrote: > > Hi, > > ossec maintains an internal database with the number of events per agent > and if an agent exceed that number of events, it fires an alert. > Basically you can use that alert to discover extrange activity on > servers. I have mail servers with high load all the time firing that > alert :) > > Greetings > > Bradley Radjoo wrote: >> Hello there, >> >> They are events. >> >> On 25 Mar 2010, at 2:48 PM, Iñaki R. wrote: >> >>> Hi Bradley, >>> >>> logs or events? I never saw that message with number of log files but >>> with number of events. >>> >>> Greetings >>> >>> Bradley Radjoo wrote: >>>> Greetings, >>>> >>>> I noticed something yesterday on all this OSSEC e-mail notifications. >>>> >>>> A mail said there were excessive logs in /var/log/<something> - like 2000+ >>>> logs when the average was 1000 between blah and bleh >>>> >>>> I looked in the log. That hour had like 50 logs. >>>> >>>> So, what exactly does OSSEC count to get these numbers and what does the >>>> number mean? >>>> >>>> Regards, >>>> Bradley >>>> Please note: This email and its content are subject to the disclaimer as >>>> displayed at the following link >>>> http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Disclaimer.htm. >>>> Should you not have Web access, send an email to [email protected] >>>> <mailto:[email protected]> and a copy will be sent to you. >>>> >>>> To unsubscribe from this group, send email to >>>> ossec-list+unsubscribegooglegroups.com or reply to this email with the >>>> words "REMOVE ME" as the subject. >>> To unsubscribe from this group, send email to >>> ossec-list+unsubscribegooglegroups.com or reply to this email with the >>> words "REMOVE ME" as the subject. >> >> ----- >> >> Regards, >> >> Bradley Radjoo >> Infrastructure Services >> Internet Solutions >> 087 365 0664 (Phone) >> 011 576 0664 (Fax) >> >> Anyone who has never made a mistake has never tried anything new. — Albert >> Einstein. >> >> >> >> >> >> Please note: This email and its content are subject to the disclaimer as >> displayed at the following link >> http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Disclaimer.htm. >> Should you not have Web access, send a mail to [email protected] and a >> copy will be emailed to you. >> >> To unsubscribe from this group, send email to >> ossec-list+unsubscribegooglegroups.com or reply to this email with the words >> "REMOVE ME" as the subject. > > To unsubscribe from this group, send email to > ossec-list+unsubscribegooglegroups.com or reply to this email with the words > "REMOVE ME" as the subject. Please note: This email and its content are subject to the disclaimer as displayed at the following link http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Disclaimer.htm. Should you not have Web access, send a mail to [email protected] and a copy will be emailed to you.
