It's been brought to my attention that the OSSEC running on our servers are sending out duplicate alerts.
Is there a way to resolve this issue? An example from an OSSEC e-mail alert would be: OSSEC HIDS Notification. 2013 Jul 25 15:52:44 Received From: (test-bnc3-reston) 172.16.23.220->/bnc2/testing/ data/logs/reduce.0725 Rule: 100042 fired (level 12) -> "FAILED 340: Efective PKZIP archive" Portion of the log(s): 99594-00032: P51350701B9A0017.zip 0205-2 (P51350701B9A0017.zip) FAILED: -340 --END OF NOTIFICATION OSSEC HIDS Notification. 2013 Jul 25 15:52:44 Received From: (test-bnc3-reston) 172.16.23.220->/bnc2/testing/ data/logs/reduce.0725 Rule: 100042 fired (level 12) -> "FAILED 340: Efective PKZIP archive" Portion of the log(s): 99594-00032: P51350701B9A0017.zip 0205-2 (P51350701B9A0017.zip) FAILED: -340 --END OF NOTIFICATION This is also evident on Splunk as there are duplicate events. Oddly enough, when I am digging through the daily alerts files in /opt/ossec/alerts/month/ect... I am not seeing duplicate alerts. If anybody has any insight to this I would greatly appreciate it. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
