On Tue, May 13, 2014 at 11:18 AM, <[email protected]> wrote: > Hi, > > I'm trying to add some more rules into my company server : There is an > update job on our LBs that sometime fails, some times works. It is a daily > check. > > I wonder how I could write a rule that would only alert on the third day of > failure for example. > I'm not sure how to do that actually. What happens if I do not specify a > timeframe is infinitely long ? > How can I reset the counter then on a success ? > > Sorry for the newbie's question but I can't try on the box I have here, it's > productive and I don't want to mess it up. >
Maybe write a script to go through the logs/alerts and log to syslog when your options are met? Then write rules for those logs. > Thank you. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
