What about setting the frequency to something really low like 60? Will the agent try to check in every minute? Will the time stamp then be more accurate, assuming the core isnt too busy to handle the information. I also assume that there will be a point where the number of agents trying to check in every minute will start to tax/overload the server? Steven
On Wednesday, August 15, 2012 4:53:43 PM UTC-6, Daniel Cid wrote: > Yes, we could do some interesting rules there :) > > The issue is that OSSEC stores the alerts in a sequential mode and it > wouldn't be able > to go back in time and store the alerts on the proper position based > on the log time. Plus, > it would be a big mess if servers are on a different timezone or do > not have the times in sync... > > thanks, > > -- > Daniel B. Cid > http://dcid.me > > > > On Wed, Aug 15, 2012 at 3:51 PM, dan (ddp) <[email protected] <javascript:>> > wrote: > > On Wed, Aug 15, 2012 at 2:45 PM, Kat <[email protected] <javascript:>> > wrote: > >> Is there a way to tell OSSEC to use the timestamp of the actual logfile > >> entry rather than its own "internal timestamp of when it sees the > alert"? > >> > >> This should be a configuration option - *hint hint* > >> > >> Unless there is already a way to do this. > >> > >> thanks > >> K > > > > There's currently no way to do this, and I don't see it happening. > > > > Although, I do want to see OSSEC taking the event's timestamp into > > account, and possibly send an additional alert for strange timestamps > > (old events, predictions of future events, etc). >
