Discussion:
[ossec-list] what is the meanning Log Count?
김정철
2018-10-11 10:58:09 UTC
Permalink
After installing the security onion, look at the following path on the
keyboard dashboard
OSSEC -> OSSEC -Log Count exists.


Can you tell me in detail what OSSEC - Log Count specifically counts which
log is counted?

In my case, I thought it was pointing to ossec's alert or ossec log.
It is different from the on-screen count (/var/ossec/logs/alerts/alerts.log)

What exactly does this log count mean?
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
j***@wazuh.com
2018-10-25 14:15:19 UTC
Permalink
Hi,

Indeed as you suspected this is reflecting the alerts that also fall into
the alert.log file, but with a couple of caveats.
For one, only those that have a level of alert higher than 0 are being
counted. And secondly the alerts might not be appearing immediately on the
dashboard.

If you count the alerts in
/var/ossec/logs/alerts/yyyy/MMM/ossec-alerts-DD.log (where yyyy, MMM, DD
correspond to the date) from a previous day and compare them to the count
on the Kibana Dashboard for that day you will see it matches the sum of
those alerts.

For convenience you can see all alerts that match this criteria with grep:

zgrep "level [1-9]" /var/ossec/logs/alerts/yyyy/MMM/ossec-alerts-DD.log |
wc

Do note that levels go up to level 15, but this grep will math it without
matching level 0 alerts.

I hope this solves your inquiry,
Regards,
Juan Carlos
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Loading...