Hi, I know it is not problem of OSSEC. Point is we want to capture the windows event logs including system, security and application. As OSSEC agents collects all those logs, sometime due to configuration error or any application error, windows triggered lots of noise on event logs and OSSEC captured everything and trying to send it to server.
So I wanted to know, is there any rule I can implement if the events will be high, it simply disconnect the agent with server. So there will be no impact on system performance as well network bandwidth. In short it's possible to put some bandwidth limitations, uniq events logging, etc??? Regards, Priyonko On Wednesday, 5 November 2014 20:40:25 UTC+5:30, Michael Starks wrote: > > On 2014-11-05 5:49, priyonko chakraborty wrote: > > > Can you suggest your views, if we can implement any rule to discard > > the connection from OSSEC agent to Servers if it crosses some > > threshold. Like if the we will get Event count after '20000': > > 13179011->8264848 (62%), there should be some rule which stops the > > connection between OSSEC agent with servers and help us to stop > > bandwidth killing. > > Identify the cause of the chatty logs and address that. You may have > object auditing enabled, which can generate a large number of events. > This is not really an OSSEC problem. OSSEC sends every log to the > manager for analysis just like any other log analysis tool and it needs > to do that in order to do its job. It even compresses the logs, so I > really think you need to examine the source of the problem and address > it there. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
