Ossec installation for current running system?

[frwa onto]

I have a web server and db server running and just came across this
wonderful tool. Do you think is fine to install at this stage the
ossec as my server have been running for few months already. Will it
still be able to help me in intrusion detection and how about my file
check integrity? Thank you.

[dan (ddp)]

You should be able to check the integrity of many of the files on the
system by comparing them to rpm. I don't see a problem installing
OSSEC onto a system that's been running already.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

[dan (ddp)]

On Sun, May 19, 2013 at 6:12 AM, frwa onto <frwa...@gmail.com> wrote:
> Thank you dan. Once I installed Ossec is there any command to run to inspect
> my current system for any possible intrusion signs?

>
> On Friday, May 17, 2013 9:35:14 AM UTC+8, dan (ddpbsd) wrote:
>>
>> On Thu, May 16, 2013 at 9:02 PM, frwa onto <frwa...@gmail.com> wrote:
>> > I have a web server and db server running and just came across this
>> > wonderful tool. Do you think is fine to install at this stage the
>> > ossec as my server have been running for few months already. Will it
>> > still be able to help me in intrusion detection and how about my file
>> > check integrity? Thank you.
>> >
>>

rootcheck may provide some of indication of compromise (should it see
evidence). But there isn't really a command to run to perform specific
checks.

[frwa onto]

Dear Dan,

              Sorry I am new into Ossec what command should I run once I have start ossec to scan my system for e.g. to run rootcheck? Thank you.

You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/YumS8vZv3PI/unsubscribe?hl=en.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.

[dan (ddp)]

On Fri, May 31, 2013 at 11:29 AM, frwa onto <frwa...@gmail.com> wrote:
> Dear Dan,
> Sorry I am new into Ossec what command should I run once I

It should run by default.

[frwa onto]

Dear  Dan,

               In case it reports any thing where is best place to look is it into its particular log files which have been designated ? Which are the main log files to be monitored?

[dan (ddp)]

On Sat, Jun 1, 2013 at 12:04 AM, frwa onto <frwa...@gmail.com> wrote:
> Dear Dan,

> In case it reports any thing where is best place to look is
> it into its particular log files which have been designated ? Which are the
> main log files to be monitored?
>

OSSEC reports all alerts to /var/ossec/logs/alerts/alerts.log.

[frwa onto]

How about any other log files I need to monitor? Is notice there is a breakdown of folder by month and day what do they store then?

[dan (ddp)]

On Thu, Jun 6, 2013 at 12:54 PM, frwa onto <frwa...@gmail.com> wrote:
> How about any other log files I need to monitor? Is notice there is a
> breakdown of folder by month and day what do they store then?
>

Which files to monitor really depends on your system, and what logs
you consider important.

[frwa onto]

Dear Dan,

              I am running a web server and also a db server. So I guess both these logs in the /var/log should be monitored right? How about other system files which should be monitored?