* Jason Frisvold <[email protected]> [2014-03-21 15:32:51 -0400]:
Michael Starks wrote:
If you are experiencing a performance problem with this it might be a
bug. OSSEC is designed to evaluate logs in a tree-like fashion. It
should only check as many decoders and rules it needs to (maybe 3 or 4)
for each log before it stops and decided to continue on. Theoretically,
it should have no problem with tens of thousands of rules.
Not performance.. My example would be the current pure-ftpd decoders.
For whatever reason, they're matching apache log entries. I don't use
pure, so it was simple enough to disable that. But I can imagine that
there may be other situations where some decoders will match similar
logs. If that happens, then the proper rules may not fire.
That is a bug and should be fixed. Could you grab some of the miss
matches and we can add them to rule unit testing.
--
---------------------------
Jason 'XenoPhage' Frisvold
[email protected]
---------------------------
"Any sufficiently advanced magic is indistinguishable from technology.\"
- Niven's Inverse of Clarke's Third Law
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
