Thanks for the guidance, I looked into the log on newman (which is the OSSEC server)
All the excessive alerts indicate "mail - stats" Does this help narrow down the issue? Possibly some tweak I can make? ** Alert 1271421891.358061: mail - stats, 2010 Apr 16 07:44:51 (unixmstr.sungard) 172.24.203.138->rootcheck Rule: 11 (level 8) -> 'Excessive number of events (above normal).' Src IP: (none) User: (none) The average number of logs between 7:00 and 8:00 is 415. We reached 666. ** Alert 1271426220.619212: mail - stats, 2010 Apr 16 08:57:00 (funt) 172.24.189.13->syscheck Rule: 11 (level 8) -> 'Excessive number of events (above normal).' Src IP: (none) User: (none) The average number of logs between 8:00 and 9:00 is 479. We reached 730. ** Alert 1271417553.254691: mail - stats, 2010 Apr 16 06:32:33 (marley) 144.122.203.18->rootcheck Rule: 11 (level 8) -> 'Excessive number of events (above normal).' Src IP: (none) User: (none) The average number of logs between 6:00 and 7:00 is 573. We reached 824. ** Alert 1271421891.358061: mail - stats, 2010 Apr 16 07:44:51 (unixmstr.sungard) 172.24.203.138->rootcheck Rule: 11 (level 8) -> 'Excessive number of events (above normal).' Src IP: (none) User: (none) The average number of logs between 7:00 and 8:00 is 415. We reached 666. ** Alert 1271426220.619212: mail - stats, 2010 Apr 16 08:57:00 (funt) 172.24.189.13->syscheck Rule: 11 (level 8) -> 'Excessive number of events (above normal).' Src IP: (none) User: (none) The average number of logs between 8:00 and 9:00 is 479. We reached 730. ____________________________________________ Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty Insurance Corporation 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * [email protected] “Accomplishing the impossible means only that your boss will add it to your regular duties” Doug Larson This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message. |------------> | From: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |"dan (ddp)" <[email protected]> | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | To: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |[email protected] | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Date: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |04/16/2010 11:49 AM | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Subject: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |Re: [ossec-list] Excessive number of events | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Sent by: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |[email protected] | >--------------------------------------------------------------------------------------------------------------------------------------------------| Is newman your ossec server? If so, check the logfile is mentions. Basically, one or more hosts has logged (during a specific time frame, possibly mentionedin the alert) more events than usual. These could be multiple occurances of the same event trigger, or entirely different types of events. Depending on your storage methods you could investigate in a number of ways. Something like logwatch might be useful to help reduce the amount of raw data you have to sift through. If you log to a database (ossec-dbd), there is probably some simple-ish sql to help find an answer. I don't think there is an one-size-fits-all answer to this question, except for the very broad: look at the logs. On 4/16/10, Michael Barrett <[email protected]> wrote: > Any advise on how to find out what is going on? What can cause this alert, > where would I look for more information? > ____________________________________________ > Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty > Insurance Corporation > 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 > 1.888.601.4440 | * [email protected] > > > “Accomplishing the impossible means only that your boss will add it to your > regular duties” Doug Larson > > This message is intended for use only by the person(s) addressed above and > may contain privileged and confidential information. Disclosure or use of > this message by any other person is strictly prohibited. If this message is > received in error, please notify the sender immediately and delete this > message. > > > > |------------> > | From: | > |------------> > >>--------------------------------------------------------------------------------------------------------------------------------------------------| > |"dan (ddp)" <[email protected]> > | > >>--------------------------------------------------------------------------------------------------------------------------------------------------| > |------------> > | To: | > |------------> > >>--------------------------------------------------------------------------------------------------------------------------------------------------| > |[email protected] > | > >>--------------------------------------------------------------------------------------------------------------------------------------------------| > |------------> > | Date: | > |------------> > >>--------------------------------------------------------------------------------------------------------------------------------------------------| > |04/16/2010 08:24 AM > | > >>--------------------------------------------------------------------------------------------------------------------------------------------------| > |------------> > | Subject: | > |------------> > >>--------------------------------------------------------------------------------------------------------------------------------------------------| > |Re: [ossec-list] Excessive number of events > | > >>--------------------------------------------------------------------------------------------------------------------------------------------------| > |------------> > | Sent by: | > |------------> > >>--------------------------------------------------------------------------------------------------------------------------------------------------| > |[email protected] > | > >>--------------------------------------------------------------------------------------------------------------------------------------------------| > > > > > > It tells you that you are getting an abnormal amount of alerts for > that time of the day. > Something is happening to cause those alerts, find out what. > > On Thu, Apr 15, 2010 at 5:05 PM, Michael Barrett > <[email protected]> wrote: >> Message: <30>Apr 15 15:37:50 newman > ossec:/var/ossec/logs/alerts/alerts.log >> Rule: 11 (level 8) -> 'Excessive number of events (above normal).' >> >> >> I get several of these every day. I asked a question about suppressing >> them and was told that I shouldn't do it. >> >> What does this alert tell me? How would I follow up on this event? >> ____________________________________________ >> Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty >> Insurance Corporation >> 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 >> 1.888.601.4440 | * [email protected] >> >> >> “Accomplishing the impossible means only that your boss will add it to > your >> regular duties” Doug Larson >> >> This message is intended for use only by the person(s) addressed above > and >> may contain privileged and confidential information. Disclosure or use of >> this message by any other person is strictly prohibited. If this message > is >> received in error, please notify the sender immediately and delete this >> message. >> >> -- >> To unsubscribe, reply using "remove me" as the subject. >> > >
