We are tuning our OSSEC server/agent environment. We have multiple environments and use Puppet for configuration management and AWS for our cloud based systems.
We baseline (run OSSEC) at the start of an environment build, and then do a Puppet apply. We seem to have thousands of alerts coming in (many to do with syscheck on subsequent Puppet applys). How do you guys deal with so many alerts - do you try and whitelist all of them in the local_rules.xml file or just let them all go in to the alerts file? How do you know if an intruder has compromised a system if you constantly have login sessions opened and closed by system users and have level 7 syscheck alerts by Puppet applys happening as part of the normal running of your environment? How do you have warning systems based on alerts set-up (e.g. a script that triggers to Nagios ? or something else?). Cheers -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
