On Thu, Jul 29, 2010 at 7:30 AM, Mark F <[email protected]> wrote: > Syscheck still isn't working (or doesn't appear to be at least..) but i can > at least state that the logging is now working correctly now i'm using the > hostname in the name="" field for agent configuration rather than the agent > ID >
Is ossec-syscheckd running? Is it eating up a lot of CPU? > One thing I would like to ask is how possible it is to have ossec alert on > anything its not seen before, so a log entry goes through all the rules and > alerts or excludes itself but if it doesn't find a rule that matches it i > would like it to alert still. How easy/possible is that? Preferably only > changing files that can be changed and wouldn't effect an upgrade with > havign to manually make lots of changes just to get that part of the > functionality working again. > I don't know of a way. There is rule 1002, which looks for certain key words, and will alert on events with those key words in them.
