On Tue, Apr 20, 2010 at 1:14 PM, Michael Barrett <[email protected]> wrote: > Can you point me in the right direction? What does mail-stats mean? > Where would I be looking on the target, this was just a small sample of all > the actual alerts.
I thought I pointed a couple of times. I don't quite understand what information you're lacking here. ** Alert 1271426220.619212: mail - stats, 2010 Apr 16 08:57:00 (funt) 172.24.189.13->syscheck Rule: 11 (level 8) -> 'Excessive number of events (above normal).' Src IP: (none) User: (none) The average number of logs between 8:00 and 9:00 is 479. We reached 730. On April 16, 2010 the system funt (possibly at ip 172.24.189.13), between the hours of 8:00 and 9:00 had 730 events recorded by ossec. It looks like these alerts may be related to syscheck, but I am not positive. Look through the ossec logs for syscheck events for that host between 8:00 and 9:00 on April 16, 2010. The previous average number of logs for the hour between 8:00 and 9:00 was 479. The system had roughly 251 more events than average between the hours of 8:00 and 9:00 on April 16, 2010. I think the stats is the group the alert belongs to. -- Subscription settings: http://groups.google.com/group/ossec-list/subscribe?hl=en
