On Fri, Nov 25, 2011 at 6:03 PM, Andreas Piesk <[email protected]> wrote: > Hello list, > > i'm trying to figure out how OSSEC could check for missing messages, > unsuccessful so far. > > syslogd on my servers is sending MARK messages every 600s and i would like to > get an alert if OSSEC > hasn't seen a MARK message from a host in the last 1800s. all syslog messages > are fed to OSSEC so it > gets everything syslog sents. > > is this possible? creating a rule set to alert if OSSEC has seen MARK > messages in the last 1800s was > easy but to alert if it has NOT seen these messages seems hard, at least for > me :) > > any hints? maybe i'm missing something totally obvious. > > regards, > -ap > > >
There isn't really a way at the moment. It's a problem I'm interested, and I'm slowly coming up with a plan. I'm open to ideas if anyone has a good one.
