On 09/18/2010 01:49 AM, Tate Hansen wrote:
Instead of configuring ossec.conf with additional "file/directories" to
ignore, I had written rules (inside local_rules.xml) to simply reduce the
"level" to 0 (i.e. I wanted to have a forensic trail, but not be alerted).
As soon as I added the directories containing the majority of file changes
to the ignore lines in ossec.conf -> restarted -> ossec-analysisd CPU
consumption plummeted and I have yet to see a single agent disconnect
message.
Thanks for the report. I'm confused. Did you ignore them in ossec.conf
or set the alert level to 0?
Also, setting the alert to 0 will cause the alerts to not be written to
alerts.log. You'll only have the checksums in the database and it's
pretty easy to clear the database. That would kill your forensics records..
--
Michael Starks
[I] Immutable Security
http://www.immutablesecurity.com
