> Is ossec-syscheckd running? Is it eating up a lot of CPU?
>
It was running and not eating up much CPU, problem has ended up being /proc and
/sys partitions. Have set an ignore rule for these and now all is well. I think
i might set-up a script to scan and then ignore any devices that are on the box
as well. Strace helped work out where the problem lied.
>
> I don't know of a way. There is rule 1002, which looks for certain key
> words, and will alert on events with those key words in them.
Well, not that i know what effect it will have but i've added a rule that will
certainly catch all, as follows:-
<rule id="500000" level="3">
<match>*</match>
<description>Catch All</description>
</rule>
Basically I created a high 'number/value' rule and then set to a low level but
an alerting level so that any other triggers above this level are still
triggered instead. It seems to be working but who knows.
I'm liking the idea which I have no idea if its possible yet (no documentation
that i can see on it online at least?) of using ossec to search through MySQL
that's had all the log's sent to it centrally. Currently now i've learned it as
possible i'm looking at the ideas of just running ossec on central syslog
server, I don't see it of much use at all for File integrity its just so
un-configurable, which is a shame because the logging part is great.
