Hello team, Im quite newbie with ossec and I have some questions about how fts works,
As I know, <if_fts> fires any rule if some data is found for the first time, isnt it? Actually I couldn't find so much info how if_fts works in rules :/ What does exactly mean this line in a rule: <if_fts /> and what the differences with: <if_fts></if_fts> As I read, before to use fts in a rule you need to update your decoders with the attributes between <fts></fts> and why there is not need to specify the attributes fts in the rules? the rule is fire when all of them are first time seen or just some of them? Is it possible to use fts with syscheck decoder? Is there any way to trigger a rule if some variable (for example when a previous rule was fired already in two agents with the same IP) extracted from decoders has seen twice or more times? (some kind of "second time seen") Thank you a lot for your help and regards John -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
