Using ossec as central syslog server

2,207 views
Skip to first unread message

De Nguyen

unread,
Oct 30, 2013, 11:30:41 PM10/30/13
to ossec...@googlegroups.com
Dear all,

I'm a newbie with ossec, after i install ossec & start them, the csyslogd not running on my ossec server (type server). The status like this:
ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted is running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild is running...
ossec-execd is running...
ossec-dbd is running...
ossec-csyslogd not running...

I want monitor error and warning about hardware (RAID, HDD SCSI, RAM, etc...) from other servers and SMS for me when server have problem with hardware. So, can I use ossec software for my solution ?

Many thanks for everyone have idea for my solution with open source software.

Best Regards,.

dan (ddp)

unread,
Oct 31, 2013, 12:12:26 AM10/31/13
to ossec...@googlegroups.com


On Oct 30, 2013 11:33 PM, "De Nguyen" <mist...@gmail.com> wrote:
>
> Dear all,
>
> I'm a newbie with ossec, after i install ossec & start them, the csyslogd not running on my ossec server (type server). The status like this:
> ossec-monitord is running...
> ossec-logcollector is running...
> ossec-remoted is running...
> ossec-syscheckd is running...
> ossec-analysisd is running...
> ossec-maild is running...
> ossec-execd is running...
> ossec-dbd is running...
> ossec-csyslogd not running...
>

Csyslogd is the client syslog daemon. It's used for sending alerts to other systems via syslog.
If that's what you are looking to do you should send your config. Also the version of ossec you're using and thr platform (os specifically).

> I want monitor error and warning about hardware (RAID, HDD SCSI, RAM, etc...) from other servers and SMS for me when server have problem with hardware. So, can I use ossec software for my solution ?
>
> Many thanks for everyone have idea for my solution with open source software.
>
> Best Regards,.
>

> --
>  
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.

De Nguyen

unread,
Oct 31, 2013, 12:44:26 AM10/31/13
to ossec...@googlegroups.com
Dear Dan,

Thanks or your support.

I use ossec version 2.7 on Linux CentOS 5.8 32 bit.
I'm using ossec with apache 2.2.22, mysql 5.1.58, php 5.17 and Analogi 1.3 for monitor logging. 

If i use ossec with central syslog server on my server, can i resolve my solution ? and if answer is yes, which syslog server i can using (rsyslod, syslog-ng, etc...)?

Please, give me some idea for this solution.

Thanks again for your help !

Best Regards,. 

dan (ddp)

unread,
Oct 31, 2013, 12:47:50 AM10/31/13
to ossec...@googlegroups.com


On Oct 31, 2013 12:45 AM, "De Nguyen" <mist...@gmail.com> wrote:
>
> Dear Dan,
>
> Thanks or your support.
>
> I use ossec version 2.7 on Linux CentOS 5.8 32 bit.
> I'm using ossec with apache 2.2.22, mysql 5.1.58, php 5.17 and Analogi 1.3 for monitor logging. 
>
> If i use ossec with central syslog server on my server, can i resolve my solution ? and if answer is yes, which syslog server i can using (rsyslod, syslog-ng, etc...)?
>

Any standard syslogd should work fine. They should work for both collection of the logs for ossec to use, and for sending alerts to from ossec.

> Please, give me some idea for this solution.
>

Provide the configuration. I can't tell why ossec-csyslogd is failing without it and hopefully the ossec.log entries.

De Nguyen

unread,
Oct 31, 2013, 3:08:54 AM10/31/13
to ossec...@googlegroups.com
Dear Dan,

On my ossec server, i'm using rsyslogd for central syslog server. Config file is:

/etc/sysconfig/rsyslog

# Options to syslogd
# -m 0 disables 'MARK' messages.
# -rPortNumber Enables logging from remote machines. The listener will listen to the specified port.
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details
SYSLOGD_OPTIONS="-c3"
# Options to klogd
# -2 prints all kernel oops messages twice; once for klogd to decode, and
#    once for processing with 'ksymoops'
# -x disables all klogd processing of oops messages entirely
# See klogd(8) for more details
KLOGD_OPTIONS="-x"

and /etc/rsyslog.conf :

# Use traditional timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Provides kernel logging support (previously done by rklogd)
$ModLoad imklog
# Provides support for local system logging (e.g. via logger command)
$ModLoad imuxsock


# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log
$ModLoad imtcp
$InputTCPServerRun 514
:FROMHOST-IP, isequal, "192.168.1.111"                    /var/log/rhel6.log


my ossec.conf :



<ossec_config>
  <global>
    <email_notification>yes</email_notification>
    <email_to>ossec@localhost</email_to>
    <smtp_server>localhost.localdomain</smtp_server>
    <email_from>ossecm@localhost</email_from>
    <logall>yes</logall>
  </global>

<database_output>
   <hostname>localhost</hostname>
   <username>ossec</username>
   <password>ossec</password>
   <database>ossec</database>
   <type>mysql</type>
</database_output>

...

 <global>
    <white_list>127.0.0.1</white_list>
    <white_list>^localhost.localdomain$</white_list>
    <white_list>192.168.1.111</white_list> ### <-- My OSSEC server
    <white_list>192.168.1.112</white_list> ### <-- My Agent linux Server
  </global>

...
</ossec_config>


Anything else configuration is using ossec default.

my ossec.log :


2013/10/31 14:04:59 ossec-analysisd: INFO: Reading local decoder file.
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'rules_config.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'pam_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'sshd_rules.xml'
2013/10/31 14:04:59 ossec-remoted: INFO: Started (pid: 12844).
2013/10/31 14:04:59 ossec-remoted: Remote syslog allowed from: '221.133.0.0/28'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'telnetd_rules.xml'
2013/10/31 14:04:59 ossec-remoted: INFO: Started (pid: 12845).
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'syslog_rules.xml'
2013/10/31 14:04:59 ossec-remoted: INFO: Started (pid: 12846).
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'arpwatch_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'symantec-av_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'symantec-ws_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'pix_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'named_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'smbd_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'vsftpd_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'pure-ftpd_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'proftpd_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'ms_ftpd_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'ftpd_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'hordeimp_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'roundcube_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'wordpress_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'cimserver_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'vpopmail_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'vmpop3d_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'courier_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'web_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'web_appsec_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'apache_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'nginx_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'php_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'mysql_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'postgresql_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'ids_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'squid_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'firewall_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'cisco-ios_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'netscreenfw_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'sonicwall_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'postfix_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'sendmail_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'imapd_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'mailscanner_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'dovecot_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'ms-exchange_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'racoon_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'vpn_concentrator_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'spamd_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'msauth_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'mcafee_av_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'trend-osce_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'ms-se_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'zeus_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'solaris_bsm_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'vmware_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'ms_dhcp_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'asterisk_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'ossec_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'attack_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'openbsd_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'clam_av_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'bro-ids_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'dropbear_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: 'local_rules.xml'
2013/10/31 14:04:59 ossec-analysisd: INFO: Total rules enabled: '1289'
2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: '/etc/mtab'
2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: '/etc/mnttab'
2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: '/etc/hosts.deny'
2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: '/etc/mail/statistics'
2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: '/etc/random-seed'
2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime'
2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs'
2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx'
2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx'
2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: '/etc/cups/certs'
2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: '/etc/dumpdates'
2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: '/etc/svc/volatile'
2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/System32/LogFiles'
2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Debug'
2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/WindowsUpdate.log'
2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/iis6.log'
2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/wbem/Logs'
2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/wbem/Repository'
2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Prefetch'
2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/PCHEALTH/HELPCTR/DataColl'
2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/SoftwareDistribution'
2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Temp'
2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/config'
2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/spool'
2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/system32/CatRoot'
2013/10/31 14:04:59 ossec-analysisd: INFO: White listing IP: '127.0.0.1'
2013/10/31 14:04:59 ossec-analysisd: INFO: White listing IP: '192.168.1.111'
2013/10/31 14:04:59 ossec-analysisd: INFO: White listing IP: '192.168.1.112'
2013/10/31 14:04:59 ossec-analysisd: INFO: 3 IPs in the white list for active response.
2013/10/31 14:04:59 ossec-analysisd: INFO: White listing Hostname: 'localhost.localdomain'
2013/10/31 14:04:59 ossec-analysisd: INFO: 1 Hostname(s) in the white list for active response.
2013/10/31 14:04:59 ossec-analysisd: INFO: Started (pid: 12836).
2013/10/31 14:05:00 ossec-remoted(4111): INFO: Maximum number of agents allowed: '256'.
2013/10/31 14:05:00 ossec-remoted(1410): INFO: Reading authentication keys file.
2013/10/31 14:05:00 ossec-remoted: INFO: Assigning counter for agent myagent: '39:897'.
2013/10/31 14:05:00 ossec-remoted: INFO: Assigning sender counter: 0:517
2013/10/31 14:05:00 ossec-monitord: INFO: Started (pid: 12856).
2013/10/31 14:05:02 ossec-analysisd: INFO: Connected to '/queue/alerts/ar' (active-response queue)
2013/10/31 14:05:02 ossec-analysisd: INFO: Connected to '/queue/alerts/execq' (exec queue)
2013/10/31 14:05:04 ossec-syscheckd: INFO: Started (pid: 12852).
2013/10/31 14:05:04 ossec-rootcheck: INFO: Started (pid: 12852).
2013/10/31 14:05:04 ossec-syscheckd: INFO: Monitoring directory: '/etc'.
2013/10/31 14:05:04 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'.
2013/10/31 14:05:04 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin'.
2013/10/31 14:05:04 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
2013/10/31 14:05:04 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
2013/10/31 14:05:05 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/messages'.
2013/10/31 14:05:05 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/secure'.
2013/10/31 14:05:05 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/syslog'.
2013/10/31 14:05:05 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/xferlog'.
2013/10/31 14:05:05 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/maillog'.
2013/10/31 14:05:05 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/httpd/error_log'.
2013/10/31 14:05:05 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/httpd/access_log'.
2013/10/31 14:05:05 ossec-logcollector: INFO: Monitoring output of command(360): df -h
2013/10/31 14:05:05 ossec-logcollector: INFO: Monitoring full output of command(360): netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort
2013/10/31 14:05:05 ossec-logcollector: INFO: Monitoring full output of command(360): last -n 5
2013/10/31 14:05:05 ossec-logcollector: INFO: Started (pid: 12840).
2013/10/31 14:05:06 ossec-dbd: INFO: Started (pid: 12819).

Best Regards,.

dan (ddp)

unread,
Oct 31, 2013, 3:12:57 AM10/31/13
to ossec...@googlegroups.com


On Oct 31, 2013 3:10 AM, "De Nguyen" <mist...@gmail.com> wrote:
>
> Dear Dan,
>

To use the client syslog functionality, you'll have to configure it. This page has the syntax details you need:

http://ossec.net/doc/syntax/head_ossec_config.syslog_output.html

De Nguyen

unread,
Oct 31, 2013, 5:06:35 AM10/31/13
to ossec...@googlegroups.com
Dear Dan,

Thanks for your support. 

may I use central syslog server with ossec server as the same system ?

And my main purpose is to be used OSSEC asked to monitor the agent's hardware error ? (such as RAID, HDD, etc...)

thanks and Best Regards,.

dan (ddp)

unread,
Oct 31, 2013, 9:12:59 AM10/31/13
to ossec...@googlegroups.com


On Oct 31, 2013 7:04 AM, "De Nguyen" <mist...@gmail.com> wrote:
>
> Dear Dan,
>

> Thanks for your support. 
>
> may I use central syslog server with ossec server as the same system ?
>

Yes.

Reply all
Reply to author
Forward
0 new messages