[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] analysisd.stats_percent_diff

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] analysisd.stats_percent_diff
From: Thorne Lawler <Thorne.Lawler@xxxxxxxxxxxxx>
Date: Tue, 17 Apr 2007 09:49:28 +1000

Folks,

analysisd.stats_percent_diff (which determines how much the size of a log
file must differ from normal for it to trigger an alert) won't accept
values larger than 99%.

My server gets wildly variable amounts of traffic. On a busy day it does
at least fifty times as much work as it does on a quiet day. I really
don't want to be bothered by log-size alerts unless a log is going
completely crazy and threatening to fill /var. A log being double its
average daily size is not newsworthy.

What do I do if I want to say 'don't alert me unless the log is ten times
its usual size'? Either I'm misunderstanding the semantics of this
parameter, or this is a bit of a limitation/misdesign.

--
Thorne Lawler

Technical Consultant
ICT Outsourcing Services | Infrastructure Services | Unix Storage and
Delivery
KAZ Group Pty Ltd
360 Elizabeth Street | Melbourne Victoria 3000
(03) 9631 1747 | 0408 491 552 | Fax: (03) 9654 7334
thorne.lawler@xxxxxxxxxxxxx | www.kaz-group.com
--------------------------------------------------------------------------------
This communication may contain confidential information and/or copyright
material of KAZ Group Pty Ltd ABN 25 002 124 405 and its related bodies
corporate. It may also be the subject of legal professional privilege. If
you
are not an intended recipient, you must not keep, forward, copy, use, save
or
rely on this communication and any such action is unauthorised and
prohibited.
If you have received this communication in error, please reply to this
e-mail to
notify the sender of its incorrect delivery, and then delete both it and
your
reply

This communication may contain confidential information and/or copyright material of KAZ Group Pty Ltd ABN 25 002 124 405 and its related bodies corporate. It may also be the subject of legal professional privilege. If you are not an intended recipient, you must not keep, forward, copy, use, save or rely on this communication and any such action is unauthorised and prohibited. If you have received this communication in error, please reply to this e-mail to notify the sender of its incorrect delivery, and then delete both it and your reply.

Follow-Ups:
- [ossec-list] Re: analysisd.stats_percent_diff
  - From: Daniel Cid

Prev by Date: [ossec-list] Re: ossec startup
Next by Date: [ossec-list] Different alerts for single host.
Previous by thread: [ossec-list] OSSEC Featured on nCircle's corporate blog.
Next by thread: [ossec-list] Re: analysisd.stats_percent_diff
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.