On Tue, Feb 26, 2013 at 4:39 AM, C. L. Martinez <[email protected]> wrote: > HI all, > > I have defined several rules to monitor firewall logs. These rules > send an alert if srcip or dstip match with several cdb IP blacklists > (from dshield, RBN, shadowserver, etc) ... but cost it is too > expensive. ossec-analysisd spends a lot of CPU resources to process > firewall logs received. (over 7 million every day). > > Exists some best approach to accomplish this task using ossec?? > > -- >
cdb is probably the best we have. If this is affecting the performance of the ossec server to the point it isn't analyzing other log messages, you may need to run an additional ossec server for the firewall logs (use hybrid to forward the alerts to the main server if necessary). > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
