[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ossec-list] Multiple messages refused based on timestamp only

Subject: [Ossec-list] Multiple messages refused based on timestamp only
From: nico at sonycom.com (Nico De Ranter)
Date: Thu, 06 Apr 2006 12:00:05 +0200

Hello again,

I'm trying to use ossec to correlate logs from a few linux-based
firewalls. I ran an nmap scan through one of the firewalls to see
whether ossec would pick it up. The nmap scan was done in Aggressive
mode to generate a lof of traffic (simulating a worm outbreak I had a
few weeks ago on that network). Unfortunately when I look at the ossec
log on the server it seems almost all messages from the firewall agent
were dropped due to a similar timestamp

2006/04/06 11:29:25 shared(1407): Duplicated message time from
'10.21.59.190'.
2006/04/06 11:29:25 ossec-remoted(1214): Problem receiving message from
10.21.59.190.
[...]

Shouldn't ossec look both at the timestamp and the content of the
message to decide whether the packet is a duplicate. Of the 437 messages
the agent tried to send to the server only 2 got through. Is there a way
to make the server accept all messages? Or can I do some preprossing on
the agent to turn down the number of messages send to the server?

Nico

-- 
Nico De Ranter
Senior System Administrator
Sony Service Center (NSCE)
The Corporate Village, Da Vincilaan 7-D1
B-1935 Zaventem, Belgium
Telephone: +32 (0)2 700 86 41 Fax: +32 (0)2 700 86 22

Follow-Ups:
- [Ossec-list] Multiple messages refused based on timestamp only
  - From: Daniel Cid

Prev by Date: [Ossec-list] ossec can't send e-mail
Next by Date: [Ossec-list] Syscheck doesn't seem to work ?
Previous by thread: [Ossec-list] ossec-hids-0.7p1 questions
Next by thread: [Ossec-list] Multiple messages refused based on timestamp only
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.