I think this is the code that writes out these stats:
/* Print total for the hour */
fprintf(flog, "%d--%d--%d--%d--%d\n\n",
thishour,
hourly_alerts, hourly_events, hourly_syscheck,hourly_firewall);
This would go with the following line from
/var/ossec/stats/totals/Sep/ossec-totals-01.log on my system:
14--80516--101757--1--0
The following line:
15-370010-1-83
is hour-SID-level-firedtimes (maybe the number of times it fired
during that hour...)
If this doesn't answer your other thread as well, you can look in the
ossec source (src/analysisd/analysisd.c) for more answers.
On Tue, Sep 21, 2010 at 9:09 PM, dan (ddp) <[email protected]> wrote:
> It looks like the stats kept in '/var/ossec/stats/totals/' are updated hourly.
> Not sure how to decode them off-hand though.
> I'm guessing something like:
> hour-events-alerts-something?
>
> On Tue, Sep 21, 2010 at 7:07 PM, Christopher Moraes
> <[email protected]> wrote:
>> Thank you. That was exactly the link I was looking for.
>> Since /var/ossec/stats is not configurable, is there any other way I can
>> measure the volume of eps that ossec (log-collector and analysisd) handle
>> for a test run?
>> For e.g. if I have OSSEC monitor a log file for an hour, is there any way I
>> can generate a report showing how many EPS were processed?
>>
>> On Tue, Sep 21, 2010 at 6:14 PM, dan (ddp) <[email protected]> wrote:
>>>
>>> The following link outlines the various options:
>>> http://www.ossec.net/main/manual/configuration-options/
>>>
>>> If the stats you're looking to have updated at the ones in
>>> /var/ossec/stats, there aren't really any configuration options for
>>> those.
>>>
>>
>
