On Thu, Feb 2, 2012 at 3:53 PM, tao_zhyn <[email protected]> wrote: > I was going reviewing the windows decoder and noticed "<fts>name, > location, user, system_name</fts>" I could not find any reference in > the documentation as to what this was for. > > I finally found a reference to it in one of the message on this > mailing list, need help on writing rules (http://groups.google.com/ > group/ossec-list/browse_thread/thread/ > b8bdc5dae941eb18/77f39262b2e416a3?lnk=gst&q=first-time+cache#) > > > From my understanding in the decoder <fts> says which attributes > should be added to the First-time cache. Then in the rules you can > use <if_fts> to check if this is the first time this attribute value > has been seen. Please correct me if I am wrong. > > > I wanted to mention it here for others to easily find. Also can this > be added to the documentation somewhere? The closest I came to finding > it in the documentation was here: > http://www.ossec.net/doc/syntax/head_decoders.html#element-decoder > > >
I haven't had time to play with it really. I opened documentation issue #43 for this: https://bitbucket.org/ddpbsd/ossec-rules/issue/43/fts-should-be-documented
