Thanks Michael, might be able to work something with regards to the unique fts field. Can you match on date in OSSEC? Will have a test.
Thanks. On Thursday, June 20, 2013 3:54:54 PM UTC+1, Michael Starks wrote: > > On 20.06.2013 03:10, Chris H wrote: > > Hi. > > > > I am passing the logs from my Cisco Wireless Lan Controllers through > > to OSSEC. One of the events that I am interested in is when rogue > > wireless access points are detected. Unfortunately, the events are > > issued for each wireless access point that detects the rogue, not > > just > > the controller. > > > > I tried using FTS, which works partially in that I can trigger an > > alert just once. What I would like to be able to do is trigger an > > alert just once per day, so if the same device appears the next day I > > still get an alert. Is this possible? > > > > Thanks > > You can change the fts criteria so that it is matching on something > that is decoded and unique each time (MAC address?), or you can try > deleting the entry in queue/fts/fts-queue on a daily basis. Not sure if > the manager needs a restart after that, though. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
