Your alerting system is something only you and your management team can decide on. If you wish to get an e-mail/text on all of the above, go for it.
Our team took a more minimalist approach, only getting alerts on critical errors: hardware failure, attacks, malware, critical logs to our production network, et al so we can take immediate action. Everything below alert level 2, does not get logged because of the 'Unknown problem in the system' rule (very helpful). Root su, opened sessions, closed sessions, successful ssh's do not get fired in our deployment because it is something that is redundant and makes parsing through the logs more tedious. If you could give us an idea of what your network does, we could give you a better idea of what you could have OSSEC look for. If it's a general network at work, I would look into monitoring disk space, firewalls, malware, and unsuccessful sudo's to su/root sessions. You will notice that there are tens of thousands of rules in OSSEC that can be used to fire an alert, and it has the capability to do so much. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
