[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] Re: "Excessive number of events" rule 11
- To: ossec-list@xxxxxxxxxxxxxxxx
- Subject: [ossec-list] Re: "Excessive number of events" rule 11
- From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
- Date: Tue, 3 Jul 2007 21:00:09 -0300
- Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=TQ4kPW1F9u+LY4drgRs1dJxhEppkHbX5hFH2t1mIWmIHy9sQWsueySHuJc0lpb1cYjzGOF4ut1fGRP8rVNCkE9ciBwsfEPRd3Ju+C4hfNMhlGFLQplv3zAzuSdZbOtOrCv4K4uFAxt465fIm1htSV4Q/qvuDWd8BIJkf82vOLaY=
Hi Serge,
This number is based on the amount of logs received, not alerts
generated. Since you
are monitoring your apache logs, the number of logs can grow quite a
bit if you have
more traffic in one day. I would recommend ignoring these alerts (just
set the "stats"
in the global config to a low value -- below 6)...
http://www.ossec.net/en/manual.html#global_options
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 6/29/07, Serge Dubrouski <sergeyfd@xxxxxxxxx> wrote:
>
> I'm getting alerts like this one every 2-5 hours:
>
> OSSEC HIDS Notification.
> 2007 Jun 28 20:08:29
>
> Received From: (host) IP_ADDRESS->/opt/****-access_log
> Rule: 11 fired (level 8) -> "Excessive number of events (above normal)."
> Portion of the log(s):
>
> The average number of logs between 20:00 and 21:00 is 32. We reached 283.
>
> What confuses me is that there are no other alert regarding that file
> diring that hour. Neither in e-mail nor in the alerts.log files. Why
> am I getting those then?
>
> --
> Serge Dubrouski.
>
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.