I'm guessing the systems are unixmstr.sungard, funt, and marley. The times to look at are 6:00 to 7:00, 7:00 to 8:00, 8:00 to 9:00 on the various systems. And it looks like it might be worth investigating, since you're getting 200-300 more alerts for those systems than you usually get.
On Fri, Apr 16, 2010 at 1:53 PM, Michael Barrett <[email protected]> wrote: > Thanks for the guidance, I looked into the log on newman (which is the > OSSEC server) > > All the excessive alerts indicate "mail - stats" > > Does this help narrow down the issue? Possibly some tweak I can make? > > ** Alert 1271421891.358061: mail - stats, > 2010 Apr 16 07:44:51 (unixmstr.sungard) 172.24.203.138->rootcheck > Rule: 11 (level 8) -> 'Excessive number of events (above normal).' > Src IP: (none) > User: (none) > The average number of logs between 7:00 and 8:00 is 415. We reached 666. > > > ** Alert 1271426220.619212: mail - stats, > 2010 Apr 16 08:57:00 (funt) 172.24.189.13->syscheck > Rule: 11 (level 8) -> 'Excessive number of events (above normal).' > Src IP: (none) > User: (none) > The average number of logs between 8:00 and 9:00 is 479. We reached 730. > > ** Alert 1271417553.254691: mail - stats, > 2010 Apr 16 06:32:33 (marley) 144.122.203.18->rootcheck > Rule: 11 (level 8) -> 'Excessive number of events (above normal).' > Src IP: (none) > User: (none) > The average number of logs between 6:00 and 7:00 is 573. We reached 824. > > ** Alert 1271421891.358061: mail - stats, > 2010 Apr 16 07:44:51 (unixmstr.sungard) 172.24.203.138->rootcheck > Rule: 11 (level 8) -> 'Excessive number of events (above normal).' > Src IP: (none) > User: (none) > The average number of logs between 7:00 and 8:00 is 415. We reached 666. > > ** Alert 1271426220.619212: mail - stats, > 2010 Apr 16 08:57:00 (funt) 172.24.189.13->syscheck > Rule: 11 (level 8) -> 'Excessive number of events (above normal).' > Src IP: (none) > User: (none) > The average number of logs between 8:00 and 9:00 is 479. We reached 730. > > > ____________________________________________ > Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty > Insurance Corporation > 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 > 1.888.601.4440 | * [email protected] > > > “Accomplishing the impossible means only that your boss will add it to your > regular duties” Doug Larson > > This message is intended for use only by the person(s) addressed above and > may contain privileged and confidential information. Disclosure or use of > this message by any other person is strictly prohibited. If this message is > received in error, please notify the sender immediately and delete this > message. > > > > |------------> > | From: | > |------------> > >--------------------------------------------------------------------------------------------------------------------------------------------------| > |"dan (ddp)" <[email protected]> > | > >--------------------------------------------------------------------------------------------------------------------------------------------------| > |------------> > | To: | > |------------> > >--------------------------------------------------------------------------------------------------------------------------------------------------| > |[email protected] > | > >--------------------------------------------------------------------------------------------------------------------------------------------------| > |------------> > | Date: | > |------------> > >--------------------------------------------------------------------------------------------------------------------------------------------------| > |04/16/2010 11:49 AM > | > >--------------------------------------------------------------------------------------------------------------------------------------------------| > |------------> > | Subject: | > |------------> > >--------------------------------------------------------------------------------------------------------------------------------------------------| > |Re: [ossec-list] Excessive number of events > | > >--------------------------------------------------------------------------------------------------------------------------------------------------| > |------------> > | Sent by: | > |------------> > >--------------------------------------------------------------------------------------------------------------------------------------------------| > |[email protected] > | > >--------------------------------------------------------------------------------------------------------------------------------------------------| > > > > > > Is newman your ossec server? If so, check the logfile is mentions. > Basically, one or more hosts has logged (during a specific time frame, > possibly mentionedin the alert) more events than usual. These could be > multiple occurances of the same event trigger, or entirely different > types of events. > Depending on your storage methods you could investigate in a number of > ways. Something like logwatch might be useful to help reduce the > amount of raw data you have to sift through. If you log to a database > (ossec-dbd), there is probably some simple-ish sql to help find an > answer. > I don't think there is an one-size-fits-all answer to this question, > except for the very broad: look at the logs. > > On 4/16/10, Michael Barrett <[email protected]> wrote: >> Any advise on how to find out what is going on? What can cause this > alert, >> where would I look for more information? >> ____________________________________________ >> Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty >> Insurance Corporation >> 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 >> 1.888.601.4440 | * [email protected] >> >> >> “Accomplishing the impossible means only that your boss will add it to > your >> regular duties” Doug Larson >> >> This message is intended for use only by the person(s) addressed above > and >> may contain privileged and confidential information. Disclosure or use of >> this message by any other person is strictly prohibited. If this message > is >> received in error, please notify the sender immediately and delete this >> message. >> >> >> >> |------------> >> | From: | >> |------------> >> >>>--------------------------------------------------------------------------------------------------------------------------------------------------| > >> |"dan (ddp)" <[email protected]> >> | >> >>>--------------------------------------------------------------------------------------------------------------------------------------------------| > >> |------------> >> | To: | >> |------------> >> >>>--------------------------------------------------------------------------------------------------------------------------------------------------| > >> |[email protected] >> | >> >>>--------------------------------------------------------------------------------------------------------------------------------------------------| > >> |------------> >> | Date: | >> |------------> >> >>>--------------------------------------------------------------------------------------------------------------------------------------------------| > >> |04/16/2010 08:24 AM >> | >> >>>--------------------------------------------------------------------------------------------------------------------------------------------------| > >> |------------> >> | Subject: | >> |------------> >> >>>--------------------------------------------------------------------------------------------------------------------------------------------------| > >> |Re: [ossec-list] Excessive number of events >> | >> >>>--------------------------------------------------------------------------------------------------------------------------------------------------| > >> |------------> >> | Sent by: | >> |------------> >> >>>--------------------------------------------------------------------------------------------------------------------------------------------------| > >> |[email protected] >> | >> >>>--------------------------------------------------------------------------------------------------------------------------------------------------| > >> >> >> >> >> >> It tells you that you are getting an abnormal amount of alerts for >> that time of the day. >> Something is happening to cause those alerts, find out what. >> >> On Thu, Apr 15, 2010 at 5:05 PM, Michael Barrett >> <[email protected]> wrote: >>> Message: <30>Apr 15 15:37:50 newman >> ossec:/var/ossec/logs/alerts/alerts.log >>> Rule: 11 (level 8) -> 'Excessive number of events (above normal).' >>> >>> >>> I get several of these every day. I asked a question about suppressing >>> them and was told that I shouldn't do it. >>> >>> What does this alert tell me? How would I follow up on this event? >>> ____________________________________________ >>> Michael Barrett | Information Security Analyst - Lead | Mortgage > Guaranty >>> Insurance Corporation >>> 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 >>> 1.888.601.4440 | * [email protected] >>> >>> >>> “Accomplishing the impossible means only that your boss will add it to >> your >>> regular duties” Doug Larson >>> >>> This message is intended for use only by the person(s) addressed above >> and >>> may contain privileged and confidential information. Disclosure or use > of >>> this message by any other person is strictly prohibited. If this message >> is >>> received in error, please notify the sender immediately and delete this >>> message. >>> >>> -- >>> To unsubscribe, reply using "remove me" as the subject. >>> >> >> > >
