Hello list, i'm trying to figure out how OSSEC could check for missing messages, unsuccessful so far.
syslogd on my servers is sending MARK messages every 600s and i would like to get an alert if OSSEC hasn't seen a MARK message from a host in the last 1800s. all syslog messages are fed to OSSEC so it gets everything syslog sents. is this possible? creating a rule set to alert if OSSEC has seen MARK messages in the last 1800s was easy but to alert if it has NOT seen these messages seems hard, at least for me :) any hints? maybe i'm missing something totally obvious. regards, -ap
