[ossec-list] Re: "Excessive number of events" rule 11

["Serge Dubrouski" <sergeyfd@xxxxxxxxx>]

Thanks, Daniel -

I've already figured it out. There is no actual reason to monitor
Apache access_log that can be really big. All default apache rules are
built agains error_log.

Thanks.
Serge.

On 7/3/07, Daniel Cid <daniel.cid@xxxxxxxxx> wrote:
>
> Hi Serge,
>
> This number is based on the amount of logs received, not alerts
> generated. Since you
> are monitoring your apache logs, the number of logs can grow quite a
> bit if you have
> more traffic in one day. I would recommend ignoring these alerts (just
> set the "stats"
> in the global config to a low value -- below 6)...
>
> http://www.ossec.net/en/manual.html#global_options
>
> Hope it helps.
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On 6/29/07, Serge Dubrouski <sergeyfd@xxxxxxxxx> wrote:
> >
> > I'm getting alerts like this one every 2-5 hours:
> >
> > OSSEC HIDS Notification.
> > 2007 Jun 28 20:08:29
> >
> > Received From: (host) IP_ADDRESS->/opt/****-access_log
> > Rule: 11 fired (level 8) -> "Excessive number of events (above normal)."
> > Portion of the log(s):
> >
> > The average number of logs between 20:00 and 21:00 is 32. We reached 283.
> >
> > What confuses me is that there are no other alert regarding that file
> > diring that hour. Neither in e-mail nor in the alerts.log files. Why
> > am I getting those then?
> >
> > --
> > Serge Dubrouski.
> >
>


-- 
Serge Dubrouski.