On Wed, Aug 15, 2012 at 2:45 PM, Kat <[email protected]> wrote: > Is there a way to tell OSSEC to use the timestamp of the actual logfile > entry rather than its own "internal timestamp of when it sees the alert"? > > This should be a configuration option - *hint hint* > > Unless there is already a way to do this. > > thanks > K
There's currently no way to do this, and I don't see it happening. Although, I do want to see OSSEC taking the event's timestamp into account, and possibly send an additional alert for strange timestamps (old events, predictions of future events, etc).
