On Sun, Oct 20, 2013 at 1:13 PM, rim bulls <[email protected]> wrote: > Max email limit? Don't know about email limits. > The delay is between log record in apache logfile and > alert record in "$ossec/logs/alerts/alerts.log". > For example: record in log file is recorded at 12.00, alert is generated > in 12.30. > This is local installation, no server-agent. > > One more thing - I use costum decoder for apache log file, like here: > "http://marc.info/?l=ossec-list&m=120177942010907"; > > Thanks in advance! >
Is the system overloaded? How much CPU % is ossec-analysisd/ossec-logcollectord using? Are you pushing a lot of logs through it? > > 2013/10/20 dan (ddp) <[email protected]> > >> >> On Oct 19, 2013 5:13 PM, "rim bulls" <[email protected]> wrote: >> > >> > Hello! >> > Excuse my English, it is not my native language. >> > >> > Can someone help me with following issue: >> > Ossec verion: ossec-hids-local-2.7 >> > OS: FreeBSD 8.3 >> > Monitoring apache access log files. After running >> > OSSEC some time, ~10-20min., there appears delay between entry in log >> > file and >> > ossec generated alert. >> > >> > Example: >> > ** Alert 1380315612.1843: - apache-custom, >> > 2013 Sep 28 00:00:12 mas->/var/log/web_access.log >> > Rule: 100288 (level 1) -> 'permit 404 "not found" ' >> > Src IP: 83.136.136.54 >> > www.besttech.lt 83.136.136.54 - - [27/Sep/2013:11:29:34 +0300] "GET >> > >> > /ads/content/banner/20121025221552-3803.swf?clickTAG=http://www.besttech.lt/ads/?fwd=1811 >> > HTTP/1.1" 403 244 >> > "http://www.siesuks.lv/receptes/majas-trte-a-varito-kremu-207841/"; >> > "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; >> > .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center >> > PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3) >> > >> > Alert is generated iin 2013 Sep 28 00:00:12, log file entry >> > 27/Sep/2013:11:29:34. >> > >> >> Did you reach the max email limit that hour? >> >> > As longer OSSEC runs, the delay gets larger. >> > >> > I searched for answer using search engines, but did not get any >> > answer. Can someone provide me some useful information, so I can >> > resolve this case, please. >> > >> > Kind regards. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
