What happens when trying to start a new session if the maximum session limit has already been reached?
If reached the maximum number of sessions and initialized a new session, then the session that has been inactive for the longest time is closed.
Logtest will detect when the token is not valid, process the log, and return the result identifying the new session.
- There are 3 reasons why a session has been closed
Force logout via a logout request.
The session has been idle longer than the session_timeout defined in the rule_test configuration in ossec.conf.
The max_session number of sessions has been reached and a new session replaces the session that has been idle the longest.
Currently Wazuh-Logtest solution check rules and decoders with syslog and JSON event format.
The firedtimes counter is used to determine if the rule reached the required frequency to generate the alert. Unlike wazuh-analysisd, the counter is not reset every hour, it stays throughout the session.