FAQ
What happens when trying to start a new session if the maximum session limit has already been reached?
If reached the maximum number of sessions and initialized a new session, then the session that has been inactive for the longest time is closed.
What happens when trying to use an invalid logtest token?
Logtest will detect when the token is not valid, process the log, and return the result identifying the new session.
When is a session closed?
- There are 3 reasons why a session has been closed
Force logout via a logout request.
The session has been idle longer than the session_timeout defined in the rule_test configuration in ossec.conf.
The max_session number of sessions has been reached and a new session replaces the session that has been idle the longest.
What events are recognized by the Wazuh-Logtest solution?
Currently Wazuh-Logtest solution check rules and decoders with syslog and JSON event format.
What is the behavior of the firedtimes counter?
The firedtimes counter is used to determine if the rule reached the required frequency to generate the alert. Unlike wazuh-analysisd, the counter is not reset every hour, it stays throughout the session.