|
Daniel, sgi_fam is a file monitoring process that resides at the kernel level to notify a process that another file has changed. What this gives us is the ablity to be notified when a new log entry is added to the logs rather than have to poll periodically. In that way, action responses can be almost immediate for very serious levels of alerts, say, above 10. It does potentially generate a higher amount of disk IO as you are now reading files one or two lines at a time rather than in blocks, as you would do if you poll every minute or so. I'm only just getting in to OSSEC, so my question may be a bit pre-mature and may get answered as I delve further into the internals. thanks for your response, bill Daniel Cid wrote: Hi Bill, What do you mean by that (I never used fam)? If ossec can analyze sgi_fam logs or is there something that fam can do that I am not aware? If it is related to the logs, can you provide some log samples to us? With the logs it should be simple to add support to it... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 6/23/06, Bill Long <bitman@xxxxxxxxxxxx> wrote: --~--~---------~--~----~------------~-------~--~----~ -~----------~----~----~----~------~----~------~--~--- |