-
This is a suggestion to add functionality to recover from a system crash or the crash of the generic sguil agent.
Lets say the generic agent is reading a syslog file and crashes. When you start the agent back up, it will re-read events it has already seen, inputting them to the database and presenting them as new events. I think if there was something similar to barnyard's waldo file, the...
2008-10-31 15:24:16 UTC in Sguil
-
Not sure if this is possible since technically it would be a modification to barnyard. However, since we patch barnyard to work with sguil, it may be possible.
Currently in debug mode, there is no message or error to the user if he/she is trying to read invalid unified log/alert files using barnyard with the sguil output plugin. I think such errors would be helpful and here's why:
As...
2008-10-31 15:21:16 UTC in Sguil
-
I think it would be a great if users could look at events, investigate them, etc. but once they are done with the event, have the ability to either 1.) archive them or 2.) classify and then archive them. Essentially, I don't want to see anything I've already seen. I want to tuck away old events and only see events that are new since the last time I logged in or since the last time I classified...
2008-09-16 15:10:08 UTC in OSSIM
-
Logged In: YES
user_id=1607240
ONLINE_MODE=yes provides similar functionality.
2006-09-26 21:12:35 UTC in FW1-Loggrabber
-
When I run fw1-loggrabber, it writes to a file - as
expected. If I run it again, it appends the CP logs to
the end of the logfile I've specified in my configuration.
I think it would be great to only pull new
events/entries that have shown up on the management
station since the last time I ran fw1-loggrabber.
Ideally I would like to cron up loggrabber to run every
60 seconds and only...
2006-09-26 19:09:27 UTC in FW1-Loggrabber
