It's fairly busy but nothing insane. I didn't know of OSSEC had some sort
of built in alerting/monitoring or statistics where I could see if it's
truly missing those files.
On Sunday, February 18, 2018 at 3:15:53 PM UTC-7, dan (ddpbsd) wrote:
> > I'm using OSSEC in a slightly unconventional manner where I have it
> > installed on a centralized syslog server and it's tripping correlations
> > multiple servers with just one agent. A small snippet of the setup is
> > ossec-server.domain.com monitoring:
> > /logs/networking/*.log
> > /logs/windows/*.log
> > /logs/unix/*.log
> > Overall this has worked pretty good for a low key correlation system for
> > some alerts but I recently added a few more logs to it and I feel like
> > is missing some entries now. For example, I see alerts being tripped
> > /var/ossec/logs/alerts/alerts.log for some events, but others are not. I
> > know for a fact while tailing the alerts.log file, I should have
> > the alert below as I was also tailing the logs OSSEC was monitoring.
> > shows that the format is correct and it's decoding/alerting correctly
> > running the test. Therefore my only conclusion is OSSEC is potentially
> > getting overwhelmed and missing some. Is there a way to check that or
> > other reason this wouldn't of tripped for me?
> It's possible that it got missed. Is the server busy? Is there enough
> Is the events per second rate very high?
> > Feb 16 13:04:34 server1 sudo: user_name : command not allowed ;
> > ; PWD=/home/user_name ; USER=root ; COMMAND=/bin/su root
> > **Phase 1: Completed pre-decoding.
> > full event: 'Feb 16 13:04:34 server1 sudo: user_name : command
> > allowed ; TTY=pts/0 ; PWD=/home/user_name ; USER=root ; COMMAND=/bin/su
> > root'
> > hostname: 'server1'
> > program_name: 'sudo'
> > log: ' user_name : command not allowed ; TTY=pts/0 ;
> > PWD=/home/user_name ; USER=root ; COMMAND=/bin/su root'
> > **Phase 2: Completed decoding.
> > decoder: 'sudo'
> > dstuser: 'user_name'
> > **Phase 3: Completed filtering (rules).
> > Rule id: '100012'
> > Level: '10'
> > Description: 'User attempted to run a command that was not
> > **Alert to be generated.
> > --
> > ---
> > You received this message because you are subscribed to the Google
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> > For more options, visit https://groups.google.com/d/optout.
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
For more options, visit https://groups.google.com/d/optout.