On Wed, Jun 1, 2016 at 11:56 AM, Tahir Hafiz <[email protected]> wrote: > Hello All, > > I hope that this is not a difficult question. > We would like OSSEC to only include log file entries that have timestamps on > or after the time of the OSSEC process starting. > > For example, my OSSEC started up at 11:09, therefore the following log entry > from the auth.log with a timestamp of 11:04 we would like NOT to be included > in the alerts file: > > ** Alert 1464689376.1379: mail - syslog,sudo > 2016 May 31 11:09:36 (xyzABC01) any->/var/log/auth.log > Rule: 5403 (level 4) -> 'First time user executed sudo.' > User: infra > May 31 11:04:01 ip-11-9-1-132 sudo: devops : TTY=unknown ; PWD=/home/infra > ; USER=root ; COMMAND=/bin/chown -R infra:infra /srv/xyz.com/redirects/ > > > Is something like that possible? Like a config change in OSSEC to only parse > log entries with a timestamp greater than OSSEC's start time? > Or some way to only have alerts in the alerts file that correspond with a > timestamp greater than the OSSEC process start time - that would also work > for us? > Basically we are trying to avoid as many false positives as possible and > this would help immensely. >
There are no configuration options to do anything like this. > Cheers > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
