Hello All, I hope that this is not a difficult question. We would like OSSEC to only include log file entries that have timestamps on or after the time of the OSSEC process starting.
For example, my OSSEC started up at 11:09, therefore the following log entry from the auth.log with a timestamp of 11:04 we would like NOT to be included in the alerts file: ** Alert 1464689376.1379: mail - syslog,sudo 2016 May 31 11:09:36 (xyzABC01) any->/var/log/auth.log Rule: 5403 (level 4) -> 'First time user executed sudo.' User: infra May 31 11:04:01 ip-11-9-1-132 sudo: devops : TTY=unknown ; PWD=/home/infra ; USER=root ; COMMAND=/bin/chown -R infra:infra /srv/xyz.com/redirects/ Is something like that possible? Like a config change in OSSEC to only parse log entries with a timestamp greater than OSSEC's start time? Or some way to only have alerts in the alerts file that correspond with a timestamp greater than the OSSEC process start time - that would also work for us? Basically we are trying to avoid as many false positives as possible and this would help immensely. Cheers -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
