Not really. OSSEC looks at the logs that come in and works with those. If an alert doesn't come in there isn't a whole lot it can do.
If you use agents the system detects when the agents "disconnect" and sends an alert. On Wed, Dec 15, 2010 at 10:06 AM, NewRules <[email protected]> wrote: > > On 15 déc, 15:44, "dan (ddp)" <[email protected]> wrote: >> There should be an alert for when there are more messages than >> average, but nothing that I know of for not receiving any messages. >> > > Is there a way to create custom rules to generate such an alert ? > >> On Wed, Dec 15, 2010 at 5:30 AM, NewRules <[email protected]> wrote: >> > Hi, >> >> > I'm using ossec as a log corellator. >> > For log centralization I'm using syslog-ng (for formatting features), >> > thus im'not using ossec agents for log collection. >> >> > I wanna know if there is any option to set an alert when no logs or an >> > unusual amount of log from a certain host is noticed. >> >> > The problem I've been through is that after servers reboot, syslog-ng >> > agents did not restart for some reason and thus they were not sending >> > logs anymore. Ossec did not warned me about it. >> >> > How is it possible to set this kind of alert ? >> >> > Thanks,
