OSSEC v1.4 - Multiple Logs Definition Error

138 views
Skip to first unread message

Kevin Reiter

unread,
Nov 20, 2007, 2:01:42 PM11/20/07
to ossec...@googlegroups.com
All,

I'm currently running OSSEC-HIDS v1.4 on FreeBSD 6.2-RELEASE along with Syslog-NG (v2.0.3) and I'm having a problem relating to reading multiple logs.

According to http://www.ossec.net/wiki/index.php/Know_Host:MultipleLogs I can use a '*' wildcard in the ossec.conf to specify multiple logs within a directory, such as:

<localfile>
<log_format>syslog</log_format>
<location>/var/log/*.log</location>
</localfile>

However, when I use the following in my ossec.conf:

<localfile>
<log_format>syslog</log_format>
<location>/var/log/current/*.log</location>
</localfile>
(where /var/log/current/ is a symlink to another directory that changes daily)

I get the following error when starting ossec:

root@logmeister [/usr/local/ossec-hids/etc]# ossec-control start
Starting OSSEC HIDS v1.4 (by Daniel B. Cid)...
2007/11/20 12:50:04 ossec-logcollector(1901): Missing 'log_format' element.
2007/11/20 12:50:04 ossec-logcollector(1202): Configuration error at '/usr/local/ossec-hids/etc/ossec.conf'. Exiting.
2007/11/20 12:50:04 ossec-logcollector(1202): Configuration error at '/usr/local/ossec-hids/etc/ossec.conf'. Exiting.
ossec-logcollector: Configuration error. Exiting

Here's the info on the symlink directory:

root@logmeister [/usr/local/ossec-hids/etc]# ls -l /var/log/current
lrwxr-xr-x 1 root wheel 33 Nov 20 12:41 /var/log/current@ -> /usr/local/logs/remote/2007/11/20

Has anyone else had a similar issue in the past? If so, what was the resolution?

Thanks,
Kevin


Kevin Reiter
Senior Security Engineer
Financial Services, Inc.
21 Harristown Road
Glen Rock, New Jersey 07452
(201)652-6000, ext. 588
PGP ID: 0xEE665233

Kevin Reiter

unread,
Nov 23, 2007, 11:58:17 AM11/23/07
to ossec...@googlegroups.com
Anyone??

Peter M. Abraham

unread,
Nov 23, 2007, 3:49:32 PM11/23/07
to ossec-list
Greetings Kevin:

While we do not have cause at present to take advantage of the
multiple log method, I would recommend two tests for you to try:

1. Manually typing in the required format (to make sure no special
characters were transferred from a copy and paste, try using a single
log.

2. Try the following:

<localfile>
<log_format>syslog</log_format>
<location>/var/log/current@</location>
</localfile>

Thank you.

Le Quang Chinh

unread,
Nov 26, 2007, 3:48:54 AM11/26/07
to ossec...@googlegroups.com
hi Kevin,

In my case, I use the 'log' function from Syslog-NG to forward these logs to the OSSEC server, when the OSSEC server use a port number other than 514 for receiving syslog messages. So the ossec.conf file contains:

<remote>
<connection>syslog</connection>
<port>3514</port>
</remote>

And the syslog-ng.conf has:

source s_remote {
tcp(ip(0.0.0.0) port(514) max-connections(100));
udp(ip(0.0.0.0) port(514));
};
destination d_ossec { udp("192.168.X.Y" port(3514) spoof_source(yes)); };

log { source(s_remote); destination(d_ossec); };

Notice that Syslog-NG version 2.0.3 or above supports spoof-source attribute.


-Chinh


----- Original Message -----
From: "Kevin Reiter" <KRe...@insidefsi.net>
To: ossec...@googlegroups.com
Sent: Wednesday, November 21, 2007 2:01:42 AM (GMT+0700) Asia/Bangkok
Subject: [ossec-list] OSSEC v1.4 - Multiple Logs Definition Error

Kevin Reiter

unread,
Nov 26, 2007, 10:20:24 AM11/26/07
to ossec...@googlegroups.com
That seems to have done the trick, thanks!

-----Original Message-----
From: ossec...@googlegroups.com [mailto:ossec...@googlegroups.com]On

Kevin Reiter

unread,
Nov 27, 2007, 11:07:27 AM11/27/07
to ossec...@googlegroups.com
Actually, that didn't work out after all..
Reply all
Reply to author
Forward
0 new messages