Log Retention with Ossec

1,054 views
Skip to first unread message

sculptu...@yahoo.co.uk

unread,
May 31, 2012, 6:15:57 AM5/31/12
to ossec...@googlegroups.com
Hi all

Currently considering an Ossec deployment, could I please check my understanding of the following;

Ossec alerts - can be logged to syslog, file, database and sent as emails.

Original log lines received from agents - can be logged to archive.log file with the "logall" directive for retention (doesn't cause these to be added to a configured db and they don't appear to be sent to syslog either should this be enabled, presuming these aren't options?).

And a slightly off topic question if I may.

I'd be interested in hearing what others are doing with regards log retention / enabling rich searching of the archive log, having taken a quick look at elsa as an example this appears to import everything as ossec-archive which doesn't appear ideal for utilising the search functions.

It would be plausible in our case to actually junk a good portion of what's in the archive (ossec keepalives, log lines considered irrelevant for retention) but I'm not sure exactly where to begin (regex not being a strong point) and am wondering what others have done who have used the archive as a basis for log retention.

Many thanks in advance


Florian Crouzat

unread,
May 31, 2012, 7:52:35 AM5/31/12
to ossec...@googlegroups.com
Not answering all your concerns but...

As you said, with the logall switch, all logs from clients are logged
into archive logs.
(http://www.ossec.net/doc/syntax/head_ossec_config.global.html#options)

Alerts logs are just decoded archives logs that triggers alerts with
level >= log_alert_level -- assuming you have some decoders and rules
(ossec ships with default ones).

I don't use DB support and I only keep 13 month of archives logs files
on disk (PCI-DSS). I don't keep alerts logs as they are redundant with
archives, and ~5 times heavier because of the decoded overhead.

I think you should not remove things from archives logs as they'll loose
their purpose and the tool will be considered as limited/compromised.

As for the "rich searching of archives" it can be dangerous if anyone
can read everything because archives contains all logs of everything
everywhere and it can be very long because archives files can quickly
become huge.

ps: also, ossec-wui has a Search tab.

--
Cheers,
Florian Crouzat

dan (ddp)

unread,
Jun 5, 2012, 12:14:48 PM6/5/12
to ossec...@googlegroups.com
On Thu, May 31, 2012 at 6:15 AM, sculptu...@yahoo.co.uk
<sculptu...@yahoo.co.uk> wrote:
> Hi all
>
> Currently considering an Ossec deployment, could I please check my understanding of the following;
>
> Ossec alerts - can be logged to syslog, file, database and sent as emails.
>
> Original log lines received from agents - can be logged to archive.log file with the "logall" directive for retention (doesn't cause these to be added to a configured db and they don't appear to be sent to syslog either should this be enabled, presuming these aren't options?).
>

Those are not options.

sebast...@live.com

unread,
Apr 30, 2018, 7:31:27 PM4/30/18
to ossec-list
Hi Dan, Florian

This entry mentions OSSEC has been configured to keep logs as long as 13 months. May I ask how to achieve that? I don't know the configuration file I need to edit to let OSSEC know it must not rotate logs until the 13th month.

Best regards, Sebatian.

dan (ddp)

unread,
Apr 30, 2018, 7:32:27 PM4/30/18
to ossec...@googlegroups.com


On Mon, Apr 30, 2018, 7:31 PM <sebast...@live.com> wrote:
Hi Dan, Florian

This entry mentions OSSEC has been configured to keep logs as long as 13 months. May I ask how to achieve that? I don't know the configuration file I need to edit to let OSSEC know it must not rotate logs until the 13th month.

Best regards, Sebatian.


Ossec doesn't delete logs.



On Thursday, May 31, 2012 at 5:15:57 AM UTC-5, sculptu...@yahoo.co.uk wrote:
Hi all

Currently considering an Ossec deployment, could I please check my understanding of the following;

Ossec alerts - can be logged to syslog, file, database and sent as emails.

Original log lines received from agents - can be logged to archive.log file with the "logall" directive for retention (doesn't cause these to be added to a configured db and they don't appear to be sent to syslog either should this be enabled, presuming these aren't options?).

And a slightly off topic question if I may.

I'd be interested in hearing what others are doing with regards log retention / enabling rich searching of the archive log, having taken a quick look at elsa as an example this appears to import everything as ossec-archive which doesn't appear ideal for utilising the search functions.

It would be plausible in our case to actually junk a good portion of what's in the archive (ossec keepalives, log lines considered irrelevant for retention) but I'm not sure exactly where to begin (regex not being a strong point) and am wondering what others have done who have used the archive as a basis for log retention.

Many thanks in advance


--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages