You said "And it looks like it might be worth investigating, since you're getting 200-300 more alerts for those systems than you usually get."
Where is it that I would investigate? I don't see any logs on the agent that actually give me any details about what this is complaining about. I know very little about ossec and the few logs that I see don't seem to have any detail, just high level messages like "The average number of logs between 8:00 and 9:00 is 479. We reached 730." So I understand the SOMETHING is causing the average to go up, but what? Thank you for your patients. ____________________________________________ Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty Insurance Corporation 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * [email protected] “Accomplishing the impossible means only that your boss will add it to your regular duties” Doug Larson This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message. |------------> | From: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |"dan (ddp)" <[email protected]> | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | To: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |[email protected] | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Date: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |04/20/2010 01:51 PM | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Subject: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |Re: [ossec-list] Excessive number of events | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Sent by: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |[email protected] | >--------------------------------------------------------------------------------------------------------------------------------------------------| On Tue, Apr 20, 2010 at 1:14 PM, Michael Barrett <[email protected]> wrote: > Can you point me in the right direction? What does mail-stats mean? > Where would I be looking on the target, this was just a small sample of all > the actual alerts. I thought I pointed a couple of times. I don't quite understand what information you're lacking here. ** Alert 1271426220.619212: mail - stats, 2010 Apr 16 08:57:00 (funt) 172.24.189.13->syscheck Rule: 11 (level 8) -> 'Excessive number of events (above normal).' Src IP: (none) User: (none) The average number of logs between 8:00 and 9:00 is 479. We reached 730. On April 16, 2010 the system funt (possibly at ip 172.24.189.13), between the hours of 8:00 and 9:00 had 730 events recorded by ossec. It looks like these alerts may be related to syscheck, but I am not positive. Look through the ossec logs for syscheck events for that host between 8:00 and 9:00 on April 16, 2010. The previous average number of logs for the hour between 8:00 and 9:00 was 479. The system had roughly 251 more events than average between the hours of 8:00 and 9:00 on April 16, 2010. I think the stats is the group the alert belongs to. -- Subscription settings: http://groups.google.com/group/ossec-list/subscribe?hl=en
