Rule:502 - OSSEC Wiki

From OSSEC Wiki

Jump to: navigation, search

Rule:

 <rule id="502" level="3">
   <if_sid>500</if_sid>
   <options>alert_by_email</options>
   <match>Ossec started</match>
   <description>Ossec server started.</description>
 </rule>

Inside file: ossec_rules
Inside group(s): OSSEC
Depends on: Rule 500
False positive: None

Comments:

This rule fires when the OSSEC server is started.

Example of log:

ossec: Ossec started.

Retrieved from "http://www.ossec.net/wiki/index.php/Rule:502"

Views

Edit

Personal tools

Log in / create account

Documentation

Search