I've been playing around with logfile commands, active-response, and the rules associated with them.
For <localfile> <log_format>command</log_format> <command>df -h</command> </localfile> and noticed that the 531 rule associated with it has an ignore="7200" within the rule. Would that mean that there is a delay of 7200 seconds before an alert is prompted if the partition reaches the hard drive space % that is noted? What is the reasoning behind this delay, and what is the 'flooding' that the ossec manual mentions if this ignore is that there? How does the 7200 second ignore prevent the flooding? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
