I script and cron the archiving and carting off-line all the archive and alert records in addition to inserting into a database. The benefit is that I can keep a limited period of activity in database and have the ability to replay the text files for periods that I may be interested in the future. Not to mention the flexibility of using the logs to insert them into a myriad of other tools like logrhythm, splunk (hate to have to mention them, etc. Ash
On Tuesday, September 25, 2012 11:00:32 AM UTC-4, dan (ddpbsd) wrote: > On Tue, Sep 25, 2012 at 10:56 AM, kay kay <[email protected] <javascript:>> > wrote: > > Thank you for sane answer. > > > > So why didn't you tell me at once "it is impossible to implement it in > > default ossec" instead of "use vi"? > > > > Because you offered to modify the source code to implement the > feature, and I thought you would get it. It was a failed attempt at a > humorous way of answering the question. > > > вторник, 25 сентября 2012 г., 18:45:30 UTC+4 пользователь dan (ddpbsd) > > написал: > >> > >> On Tue, Sep 25, 2012 at 10:41 AM, kay kay <[email protected]> wrote: > >> > I didn't ask about which tool to use, I ask about which file to > modify, > >> > what > >> > exactly. And is it possible at all. > >> > > >> > >> Yes it's possible, but you'll have to modify the source code to do it. > >> That "feature" isn't implemented. If I took the time to tell you what > >> to modify and how to do it exactly I might as well do it myself. > >> > >> > вторник, 25 сентября 2012 г., 18:26:58 UTC+4 пользователь dan > (ddpbsd) > >> > написал: > >> >> > >> >> On Tue, Sep 25, 2012 at 10:21 AM, kay kay <[email protected]> > wrote: > >> >> > Any sane response? > >> >> > > >> >> > >> >> Use vi? > >> >> > >> >> > вторник, 25 сентября 2012 г., 14:12:45 UTC+4 пользователь dan > >> >> > (ddpbsd) > >> >> > написал: > >> >> >> > >> >> >> Start warming up emacs. > >> >> >> > >> >> >> On Sep 25, 2012 6:07 AM, "kay kay" <[email protected]> wrote: > >> >> >>> > >> >> >>> I would like to disable alert.log and use only database. Is it > >> >> >>> possible > >> >> >>> to implement in default ossec or I should modify source code? >
