Yes, we could do some interesting rules there :) The issue is that OSSEC stores the alerts in a sequential mode and it wouldn't be able to go back in time and store the alerts on the proper position based on the log time. Plus, it would be a big mess if servers are on a different timezone or do not have the times in sync...
thanks, -- Daniel B. Cid http://dcid.me On Wed, Aug 15, 2012 at 3:51 PM, dan (ddp) <[email protected]> wrote: > On Wed, Aug 15, 2012 at 2:45 PM, Kat <[email protected]> wrote: >> Is there a way to tell OSSEC to use the timestamp of the actual logfile >> entry rather than its own "internal timestamp of when it sees the alert"? >> >> This should be a configuration option - *hint hint* >> >> Unless there is already a way to do this. >> >> thanks >> K > > There's currently no way to do this, and I don't see it happening. > > Although, I do want to see OSSEC taking the event's timestamp into > account, and possibly send an additional alert for strange timestamps > (old events, predictions of future events, etc).
