It falls under the GPL, dig in. ;)
On Mon, Aug 2, 2010 at 8:32 AM, Mark F <[email protected]> wrote: >> Is ossec-syscheckd running? Is it eating up a lot of CPU? >> > It was running and not eating up much CPU, problem has ended up being /proc > and /sys partitions. Have set an ignore rule for these and now all is well. > I think i might set-up a script to scan and then ignore any devices that are > on the box as well. Strace helped work out where the problem lied. > >> >> I don't know of a way. There is rule 1002, which looks for certain key >> words, and will alert on events with those key words in them. > > Well, not that i know what effect it will have but i've added a rule that > will certainly catch all, as follows:- > <rule id="500000" level="3"> > <match>*</match> > <description>Catch All</description> > </rule> > > Basically I created a high 'number/value' rule and then set to a low level > but an alerting level so that any other triggers above this level are still > triggered instead. It seems to be working but who knows. > > I'm liking the idea which I have no idea if its possible yet (no > documentation that i can see on it online at least?) of using ossec to > search through MySQL that's had all the log's sent to it centrally. > Currently now i've learned it as possible i'm looking at the ideas of just > running ossec on central syslog server, I don't see it of much use at all > for File integrity its just so un-configurable, which is a shame because > the logging part is great. >
