ossec + cpanel : need to add additional logs, How ?

[SystemAli]

I need to log a cpanel agents log to my ossec server, Which file on the agent do i have to modify so that i can tell it to send additional log files there ?

--
"Want to be a leader? Wash the Dishes When Nobody Else Will"

[dan (ddp)]

/var/ossec/etc/ossec.conf

> Will<http://thesash.me/wash-the-dishes-when-nobody-else-will>
> "

[SystemAli]

Dan:

that means all the logs to be monitored have to be entered in the agent in the following location :-/var/ossec/etc/ossec.conf ?

[dan (ddp)]

Correct. Look at the ossec.conf on the agent. There should be some logfiles configured by default. Look for <localfile> entries.

> Will<http://thesash.me/wash-the-dishes-when-nobody-else-will>
> "

[Rainer]

Hi,
I want to have different active-response timeouts depending
on the fired rules. So I put in my ossec.conf:

<active-response>
<command>firewall-drop</command>
<location>local</location>
<level>8</level>
<timeout>900</timeout>
</active-response>

<active-response>
<command>firewall-drop</command>
<location>local</location>
<rules_id>100005,100030,100032,100034,100036,100037</rules_id>
<timeout>5600</timeout> <!-- w00t -->
</active-response>

today I had several attacks that fired rule 100037
(a simple selfmade myphpadmin scanner detector):
<rule id="100037" level="8">
<if_sid>31100</if_sid>
<match>myadmin/scripts</match>
<description>phpmyadmin scanner</description>
<group>attacks,</group>
</rule>

Ossec fired Rule 100037, active response got activated, BUT
only for 15 minutes and not for 90 Minutes as I expected.
Is it possible at all to have such a multiple active-response config?
If yes, why didn't it do the 5600s timeout but instead the 900s?

It's a local installation on ubuntu server. OSSEC 2.5.1

thanks for hints.

Greets
Rainer

[dan (ddp)]

The order of the AR definitions matters. I think it is first match wins.

[Christopher Moraes]

On Sat, Jun 25, 2011 at 1:45 PM, SystemAli <syst...@gmail.com> wrote:

Dan:

that means all the logs to be monitored have to be entered in the agent in the following location :-/var/ossec/etc/ossec.conf ?

On the agent, there are 2 config files that are read in the following order - 

1. /var/ossec/etc/ossec.conf and 

2. /var/ossec/etc/shared/agent.conf

The agent first reads the ossec.conf file and then tries to read the agent.conf file (if it exits).  Log files specified in ossec.conf and agent.conf will be monitored.  If you are making changes for a specific agent, make your changes in ossec.conf and not agent.conf, as agent.conf gets overwritten by the manager.

[SystemAli]

So, That means if i need to add additional files to be monitored, all i need to do is , Edit the ossec.conf on the agent by replace the LOCATION tab with the location of the log file  that i need to monitor ? ...correct ?

  <localfile>

    <log_format>syslog</log_format>

    <location>/var/log/maillog</location>

  </localfile>             

Please clarify 

Thank you

[dan (ddp)]

On Jun 28, 2011 1:28 PM, "SystemAli" <syst...@gmail.com> wrote:
>
> So, That means if i need to add additional files to be monitored, all i need to do is , Edit the ossec.conf on the agent by replace the LOCATION tab with the location of the log file  that i need to monitor ? ...correct ?
>
>

Don't replace it, add a new localfile for the logfile you want to monitor.

[Christopher Moraes]

Yes. assuming the format of your new file is also "syslog"

[SystemAli]

Christopher :

You got me confused now....i was about to add another container of the localfile with the exact details and changing the  LOCATION ....

What do i need to make sure if the format of my new file is syslog, and if it is NOT then what do i do ?

Thank you for your assistance .

[SystemAli]

Chris :

When you say format is this what you mean :-  /var/log/dmesg OR /var/log/btmp etc etc...These are the kind of files i intent to record...

Is there something that i m missing ?

[Christopher Moraes]

If you're monitoring a file which is a syslog format, then you specify "syslog".  If it's another format (see the docs for the formats supported) then specify another format (e.g. iis, eventlog, etc.)

If you have a single line log format, it is _very_ likely that you can use the syslog format.  Else, you need to find the right format for your log file.

[SystemAli]

Chris :

I edited the ossec.conf and added these container in it :-

 <localfile>

    <log_format>syslog</log_format>

    <location>/usr/local/apache/logs/access_log</location>

  </localfile>

</ossec_config>

  <localfile>

    <log_format>syslog</log_format>

    <location>/usr/local/cpanel/logs/access_log</location>

  </localfile>                                             

But when i restart ossec i get this error :-

/var/ossec/bin/ossec-control start

Starting OSSEC HIDS v2.5.1 (by Trend Micro Inc.)...

2011/06/28 23:39:58 ossec-execd(1226): ERROR: Error reading XML file '/var/ossec/etc/ossec.conf': XML ERR: Element not closed: <ossec_config (line 68).   

Can you suggest how to resolve  this ?

[dan (ddp)]

Hi SystemAli,

On Tue, Jun 28, 2011 at 2:10 PM, SystemAli <syst...@gmail.com> wrote:
> Chris :
> I edited the ossec.conf and added these container in it :-
>  <localfile>
>     <log_format>syslog</log_format>
>     <location>/usr/local/apache/logs/access_log</location>
>   </localfile>

This is probably in the apache format

> </ossec_config>

This </ossec_config> tag seems to be in the wrong place.

>   <localfile>
>     <log_format>syslog</log_format>
>     <location>/usr/local/cpanel/logs/access_log</location>
>   </localfile>

I haven't seen it, but I'm guessing this will also be in the apache format.
Have you ever looked at the logs?

> But when i restart ossec i get this error :-
> /var/ossec/bin/ossec-control start
> Starting OSSEC HIDS v2.5.1 (by Trend Micro Inc.)...
> 2011/06/28 23:39:58 ossec-execd(1226): ERROR: Error reading XML file
> '/var/ossec/etc/ossec.conf': XML ERR: Element not closed: <ossec_config
> (line 68).
> Can you suggest how to resolve  this ?
>

Look at line 68 or above. Look for a line that says "<ossec_config"
Or, check for an <ossec_config> without an </ossec_config>.

Anything in a <> will need a corresponding </>.

[SystemAli]

Yes,

the first one is an Apache format, DO i need to change the LOG_FORMAT for this ? if yes, then what ?

And yes. there were additional "</ossec_config>" in the file which i have removed, But yet get the same error :(

than you once again

[Christopher Moraes]

Look at /var/log/message - (this is the syslog format) and compare it to the logs you want to monitor. I'll explain this below - 

OSSEC uses the log format for pre-decoding and the decoder xml for decoding the log.  What this means is that in order for OSSEC to read the logs, it needs to know what format the data is coming in.  When you specify "syslog" format, OSSEC expects the log to be a single line log, with the format

<date time> <hostname> <application/process name> <... other log data>

If your logs do not follow the first 3 fields mentioned above, then you need to use another log format.  Once the log is in syslog format, OSSEC needs to have a "decoder" that can read the rest of the log message.  The decoder is picked up based on the "application/process name".   E.g. if it is ftp, the ftp decoder will be picked up.

I suggest you read the following presentation by Michael Starks.  It'll save you a lot of time, trying to figure things out.

http://www.immutablesecurity.com/index.php/2009/11/30/ossec-presentation-available/

[dan (ddp)]

On Tue, Jun 28, 2011 at 2:33 PM, SystemAli <syst...@gmail.com> wrote:
> Yes,
> the first one is an Apache format, DO i need to change the LOG_FORMAT for
> this ? if yes, then what ?

<log_format>apache</log_format>

> And yes. there were additional "</ossec_config>" in the file which i have
> removed, But yet get the same error :(
> than you once again
>

There's either an extra </ossec_config> still in the file, or the
"<ossec_config" in the message you sent is causing the breakage.
Feel free to send me the ossec.conf, I can try to read it for you.

[SystemAli]

Dan :

My conf file is attached 

Thank you so much for extending your helping hand.

[SystemAli]

Thank you so much Chris, 

I'll go through it right away.

[dan (ddp)]

There's an extra '<' character on the last line.

# /var/ossec/bin/ossec-logtest -t -c ./ossec.test
2011/06/28 15:10:52 ossec-config(1226): ERROR: Error reading XML file
'./ossec.test': XML ERR: End of file and some elements were not closed
(line 79).
2011/06/28 15:10:52 ossec-testrule(1202): ERROR: Configuration error
at './ossec.test'. Exiting.
# echo $?
1

## REMOVE THE EXTRA '<' ON THE LAST LINE

# /var/ossec/bin/ossec-logtest -t -c ./ossec.test
2011/06/28 15:11:15 ossec-testrule: INFO: Reading local decoder file.
# echo $?
0

[Christopher Moraes]

This is the error:

<</ossec_config>  

On Tue, Jun 28, 2011 at 3:06 PM, SystemAli <syst...@gmail.com> wrote:

[SystemAli]

Thank you so so very much :)

Fanatastic :)

I'll get back if i need any further assistance ..you have been wonderful !!!

[SystemAli]

Dan :

do we also need to modify the Manager in any way for these new log files to get logged there ?

[Christopher Moraes]

No. No changes to the manager are needed.

[SystemAli]

Oke doke Thank you.

[SystemAli]

Dan :

Where can i find more info about LOG_FORMAT container, as i need to monitor SMTP and othe services and am not exactly sure what to name them.

 

On Wed, Jun 29, 2011 at 12:19 AM, dan (ddp) <ddp...@gmail.com> wrote:

[SystemAli]

I was looking at the Supported logs at : http://www.ossec.net/wiki/Supported-Logs But this does not say any thing about EXIM, 

Can any one confirm if it can logs exim as well ?

[dan (ddp)]

These are the available log_format options:
syslog, snort-full, snort-fast, squid, iis, eventlog, mysql_log,
postgresql_log, nmapg or apache

[dan (ddp)]

exim probably works, it logs in the syslog format I think. There's no
specific decoder for it, so that might need to be written.

[SystemAli]

Thank you so much Dan,

I shall have this looked into.