On 2014-11-05 5:49, priyonko chakraborty wrote:
Can you suggest your views, if we can implement any rule to discard
the connection from OSSEC agent to Servers if it crosses some
threshold. Like if the we will get Event count after '20000':
13179011->8264848 (62%), there should be some rule which stops the
connection between OSSEC agent with servers and help us to stop
bandwidth killing.
Identify the cause of the chatty logs and address that. You may have
object auditing enabled, which can generate a large number of events.
This is not really an OSSEC problem. OSSEC sends every log to the
manager for analysis just like any other log analysis tool and it needs
to do that in order to do its job. It even compresses the logs, so I
really think you need to examine the source of the problem and address
it there.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
