Syslog-NG with OSSEC Questions!
Wilson Lai
Dear ALL,
        I have now installed the Syslog-NG server for centralizing all syslog messages from windows
and linux machines. And now, I am looking forward a monitoring tool that could check the severity level
of the incoming message and alert me through e-mail.
    Another question, once the event message has sent to the Syslog-NG server, could OSSEC alert me
by e-mail immediately (real time alerting)?
    Thanks.
Â
Regards,
Wilson Lai
System Engineer
IT Dept., SJM
Office ( : (853)2978585
Mobile ( : (853)66506709
Email +: : wils...@macausjm.com
Â
Daniel Cid
OSSEC can definitely monitor your logs and generate alerts on real
time. That's why it
was written for :)
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
John Ives
The caveats I would mention are as follows:
If you are having syslog-ng filter alerts, you'll want to make sure that
you include the file where the logs are being sent.
If you are creating log files based upon day or time (such that the name
of the file changes everyday e.g. /logs/host/2007-10-10 ), I would
suggest either writing a copy all alerts to one file that is monitored
and then dumped instead of rotating it (a truly ugly option), or
creating a symlink to the current file and changing it every time the
file is rotated (still not a great method but one we use). A co-worker
wrote a very simple (read that as a done-and-dirty, proof-of-concept)
script I can share if needed.
Yours,
John
--
-------------------------------------------------------------------------
John Ives Phone (510) 642-7773
System & Network Security Cell (510) 229-8676
University of California, Berkeley
-------------------------------------------------------------------------
evil...@packetmail.net
don't use the agents at all, just a local installation with the daemon
pointed to the syslog-ng hosts directory.
Kevin Reiter
<localfile>
<log_format>syslog</log_format>
<location>/usr/local/logs/remote/*/*/*/*.log</location>
</localfile>
I get an error at startup:
2007/11/09 12:50:20 ossec-logcollector(1901): Missing 'log_format' element.
2007/11/09 12:50:20 ossec-logcollector(1202): Configuration error at '/usr/local/ossec-hids/etc/ossec.conf'. Exiting.
2007/11/09 12:50:20 ossec-logcollector(1202): Configuration error at '/usr/local/ossec-hids/etc/ossec.conf'. Exiting.
When I comment that section out, it starts just fine. I'm guessing that the series of '*/*/' is what's throwing it off, correct?
To that end, I'm wondering if creating a symlink to /usr/local/logs/{YEAR}/{MONTH}/{DAY}/ as /var/log/remote would work, and define the entry as:
<localfile>
<log_format>syslog</log_format>
<location>/var/log/remote/*.log</location>
</localfile>
I'd then have to create a script that stops the server, removes the symlink, creates a new symlink (based on the new month/day) and starts the server, but that might get hairy next month :)
Any suggestions/ideas?
Thanks,
Kevin
This message may contain confidential or proprietary information and is intended solely for the individual(s) to whom it is addressed. If you are not a named addressee you should not disseminate, distribute or copy this e-mail or act upon the information contained herein. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
Daniel Cid
For your case, I would suggest using the strftime formats instead of
"/*/**". Because the logs change everyday,
you need to tell ossec to keep following the day changes. An example would be:
<localfile>
<log_format>syslog</log_format>
<location>/usr/local/logs/remote/%Y/%m/%d/host.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/usr/local/logs/remote/%Y/%m/%d/host2.log</location>
</localfile>
You would need an entry for each host because the "*" is not supported
with the strftime option.
For all the date options, look at:
http://www.openbsd.org/cgi-bin/man.cgi?query=strftime
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
Kevin Reiter
That did the trick, after I scripted a way to add all the current machines logging to syslog into the ossec.conf (to ensure we catch everything.)
Thanks!
-Kevin
Frank Abel Cancio Bello
I have a similar problem, but in my case I don't want uses strftime
formats due to my logs are stored in this way
"/var/log/syslog-ng/HOSTNAME/syslog". I thought that my solution was
change "<location>/var/log/messages</location>" by
"<location>/var/log/syslog-ng/*/messages</location>" but look what I get
in the log when I start ossec if I did that change:
$sudo /etc/init.d/ossec start
Starting OSSEC HIDS v1.4 (by Daniel B. Cid)...
2008/01/12 18:45:39 ossec-logcollector(1901): Missing 'log_format'
element.
2008/01/12 18:45:39 ossec-logcollector(1202): Configuration error at
'/var/ossec/etc/ossec.conf'. Exiting.
2008/01/12 18:45:39 ossec-logcollector(1202): Configuration error at
'/var/ossec/etc/ossec.conf'. Exiting.
ossec-logcollector: Configuration error. Exiting
Any Idea what I must put in the conf file with such logs arrange in the
disk?
Thanks in advanced
Salute
Frank Abel
__________________________________________
Participe en Universidad 2008.
11 al 15 de febrero del 2008.
Palacio de las Convenciones, Ciudad de la Habana, Cuba
http://www.universidad2008.cu
Daniel Cid
It seems that your configuration is missing the log_format parameter.
It should look like that:
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog-ng/*/messages</location>
</localfile>
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On Jan 12, 2008 9:14 PM, Frank Abel Cancio Bello
Frank Abel Cancio Bello
I just "change "<location>/var/log/messages</location>" by
"<location>/var/log/syslog-ng/*/messages</location>" in the original
conf file, so log_format isn't missing.
My conf file have entries like:
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog-ng/*/messages</location>
</localfile>
Any idea what can be happening?
Salute
Frank Abel