On 20.06.2013 03:10, Chris H wrote:
Hi.
I am passing the logs from my Cisco Wireless Lan Controllers through
to OSSEC. One of the events that I am interested in is when rogue
wireless access points are detected. Unfortunately, the events are
issued for each wireless access point that detects the rogue, not
just
the controller.
I tried using FTS, which works partially in that I can trigger an
alert just once. What I would like to be able to do is trigger an
alert just once per day, so if the same device appears the next day I
still get an alert. Is this possible?
Thanks
You can change the fts criteria so that it is matching on something
that is decoded and unique each time (MAC address?), or you can try
deleting the entry in queue/fts/fts-queue on a daily basis. Not sure if
the manager needs a restart after that, though.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
