Thank you Daniel. I looked that up and found it here: http://www.ossec.net/doc/syntax/head_ossec_config.reports.html
The doc says 5096 is the max though - am I able to go up to 90,000 as you suggested? On Jul 28, 2:26 pm, Daniel Cid <[email protected]> wrote: > Try to increase the maximum number of events stored in memory. > > By default it is 1024 and for you case, you would need a much larger > number (maybe 90k or > something like that). > > Just edit memory_size in the global config : <memory_size>90000</memory_size> > > thanks, > > > > > > > > On Thu, Jul 28, 2011 at 5:44 PM, jplee3 <[email protected]> wrote: > > Hi all, > > > I was wondering if anyone has had a lot of experience using higher > > frequencies and broader timeframes, and if you have run into any > > "limitations" > > > I currently have a rule setup to fire if there have been 1000 requests > > from the same source IP in a timeframe of 21600 seconds (6 hours). > > This is based on Apache logs (specifically GET requests) and we get > > quite a number of requests coming through from same IPs, so I know > > this should fire. > > > Another thought is that we're constantly making changes to rules and > > restarting the OSSEC server throughout the day (at least between > > 8am-5pm), so I'm guessing, in the case that the 'counter' is reset on > > an OSSEC server restart, we'll never hit this threshold. However, > > there should never be any changes during the night, so I'm a bit > > puzzled as to why it wouldn't fire between 5pm-8am the next day. Guess > > I'll have to look into lowering the thresholds either way. > > > Just curious if anyone else has been successful with using larger > > numbers for frequency and timeframe.
