I'm wondering the same. I'm testing OSSEC as a Tripwire replacement, but its little things like adjusting a config with Chef and 40 alerts come in. I suppose I can whitelist in local_rules for some things like our Sensu config, but there are lots of changes via Chef that will happen across the board that can result in a lot of email.
On Wednesday, June 15, 2016 at 3:19:19 AM UTC-7, Tahir Hafiz wrote: > > We are tuning our OSSEC server/agent environment. > We have multiple environments and use Puppet for configuration management > and AWS for our cloud based systems. > > We baseline (run OSSEC) at the start of an environment build, and then do > a Puppet apply. > We seem to have thousands of alerts coming in (many to do with syscheck on > subsequent Puppet applys). > > How do you guys deal with so many alerts - do you try and whitelist all of > them in the local_rules.xml file or just let them all go in to the alerts > file? > How do you know if an intruder has compromised a system if you constantly > have login sessions opened and closed by system users and have level 7 > syscheck alerts by Puppet applys happening as part of the normal running of > your environment? > How do you have warning systems based on alerts set-up (e.g. a script that > triggers to Nagios ? or something else?). > > Cheers > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
