[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ossec-dev
Subject:    Re: [ossec-dev] Re: Generating fake alerts
From:       "dan (ddp)" <ddpbsd () gmail ! com>
Date:       2013-02-26 20:31:04
Message-ID: CAMyQvMoDGGeex1XtOEytf0evDXk7R60mwgdgP74iw8x936QF0w () mail ! gmail ! com
[Download RAW message or body]

On Wed, Feb 20, 2013 at 6:43 PM, JB Cheng <jjoobbcc@gmail.com> wrote:
> I am not aware of pre-written testing suites to do what you want.
> 
> You can start by looking at etc/decoder.xml which contain many log samples.
> To generate 5000+ events per second, you can write a script to replay the
> sample logs, substituting the time stamps with new time, and append the logs
> to one of the monitored locations:

You could easily use the logger application to push the logs into syslog.

> <location>/var/log/messages</location>
> <location>/var/log/authlog</location>
> <location>/var/log/secure</location>
> <location>/var/log/xferlog</location>
> <location>/var/log/maillog</location>
> <location>/var/www/logs/access_log</location>
> <location>/var/www/logs/error_log</location>
> 
> 
> On Thursday, February 14, 2013 7:08:37 AM UTC-8, Thomas Gray wrote:
> > 
> > Hi there guys
> > 
> > I need to test my ossec installation in terms of testing it's maximum
> > throughput - for this, I need to really generate as many alerts as possible
> > (am hoping to generate 5000+ per second). I can spread this across many
> > internal machines, but I really need to know how to generate a log on a *nix
> > machine that Ossec will pickup, and then try and "fake" match it to a
> > signature. I need to be able to test that it will have the throughput I want
> > when it access any signature, not just one or two.
> > 
> > 
> > Are there any pre-written testing suites to do this? If not, how would you
> > suggest I accomplish it?
> > 
> > Many thanks
> > 
> > Best regards
> > 
> > Tom
> 
> --
> 
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-dev+unsubscribe@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
> 
> 

-- 

--- 
You received this message because you are subscribed to the Google Groups "ossec-dev" \
group. To unsubscribe from this group and stop receiving emails from it, send an \
email to ossec-dev+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/groups/opt_out.


[prev in list] [next in list] [prev in thread] [next in thread]