On Wed, Apr 5, 2017 at 4:45 PM, Rob Williams wrote:
> I stopped them all (which appeared to work fine) and start again. Here is
> the rule and decoder I made for this (I want to alert only once if the same
> ID (filepath) has alerted in the past minute):
>
>
>
> 510
Hi,
check this
out: https://groups.google.com/forum/#!topic/ossec-list/USAF6jF8yk8
Regards.
On Wednesday, April 5, 2017 at 10:45:52 PM UTC+2, Rob Williams wrote:
>
> I stopped them all (which appeared to work fine) and start again. Here is
> the rule and decoder I made for this (I want to
I stopped them all (which appeared to work fine) and start again. Here is
the rule and decoder I made for this (I want to alert only once if the same
ID (filepath) has alerted in the past minute):
510
This is meant to reduce noise as these events happen in
batches with not
On Wed, Apr 5, 2017 at 3:44 PM, Rob Williams wrote:
> Yes I have, I've also tried to disable all the relevant changes I've made,
> restart, and still have the same issue.
>
Try stopping the ossec processes, verify that ossec-analysisd has
stopped (sometimes it doesn't
Yes I have, I've also tried to disable all the relevant changes I've made,
restart, and still have the same issue.
On Wednesday, April 5, 2017 at 12:39:42 PM UTC-7, dan (ddpbsd) wrote:
>
> On Wed, Apr 5, 2017 at 3:26 PM, Rob Williams > wrote:
> > Hi all,
> >
> > I'm
On Wed, Apr 5, 2017 at 3:26 PM, Rob Williams wrote:
> Hi all,
>
> I'm running into an issue where rule 510 is triggering and I'm getting
> spammed with alerts but I can't seem to tune it correctly. What's weird is
> that I am still getting alerted for rule 510 for this
Hi all,
I'm running into an issue where rule 510 is triggering and I'm getting
spammed with alerts but I can't seem to tune it correctly. What's weird is
that I am still getting alerted for rule 510 for this log, but I can't
figure out how to get that to show in logtest. Basically, I am