How to check if it is logging events ?
16 views
Skip to first unread message
SystemAli
Jun 23, 2011, 3:59:56 PM6/23/11
to ossec...@googlegroups.com
I have installed the server and the agent modules respectively on the required server and the "ossec-control " server is running fine on both servers.
Now, where on the server do i check if it is logging events ? and How to add any desired events from the agent on the server ?
--
--
Christopher Moraes
Jun 23, 2011, 4:51:18 PM6/23/11
to ossec...@googlegroups.com
Alerts are logged in /var/ossec/logs/alerts/alerts.log
Events will not be logged, so don't look for events in your ossec logs.
SystemAli
Jun 23, 2011, 5:00:35 PM6/23/11
to ossec...@googlegroups.com
great..i see them getting logged there :) Thank you...
Secondly ..i need to monitor additional services on the agent, how can id to that so it oo gets logged on the server ? for eg..failed services like mail / ftp / sshd etc etc
SystemAli
Jun 23, 2011, 5:44:57 PM6/23/11
to ossec...@googlegroups.com
Chris :
Do all the alerts from ALL the different servers / devices get logged into this one file "alerts.log"
SystemAli
Jun 23, 2011, 8:37:22 PM6/23/11
to ossec...@googlegroups.com
Can any one update me on this ?
On Fri, Jun 24, 2011 at 3:14 AM, SystemAli <syst...@gmail.com> wrote:
Chris :Do all the alerts from ALL the different servers / devices get logged into this one file "alerts.log"
dan (ddp)
Jun 23, 2011, 8:41:39 PM6/23/11
to ossec...@googlegroups.com
The answer is yes.
SystemAli
Jun 23, 2011, 8:58:15 PM6/23/11
to ossec...@googlegroups.com
Thank you Dan,
SystemAli
Jun 23, 2011, 10:04:44 PM6/23/11
to ossec...@googlegroups.com
If all the logs get ridden to this one file, Then how do we extract the logs for any individual agent ?
Any tips on this please ?
dan (ddp)
Jun 24, 2011, 9:16:10 AM6/24/11
to ossec...@googlegroups.com
You can probably use ossec-reportd.
The file is a plain text file, so you shouldn't need anything fancy to read it.
The file is a plain text file, so you shouldn't need anything fancy to read it.
Christopher Moraes
Jun 24, 2011, 9:21:25 AM6/24/11
to ossec...@googlegroups.com
For the sake of clarity - Alerts get written to this one file. Not logs.
To see alerts for a particular agent/host, run the ossec-reportd utility. It will parse the alert log file and show you alerts based on the filter criteria you've set.
On Thu, Jun 23, 2011 at 10:04 PM, SystemAli <syst...@gmail.com> wrote:
Christopher Moraes
Jun 24, 2011, 9:23:09 AM6/24/11
to ossec...@googlegroups.com
You should check out the policy auditing feature. This is a part of rootkit check.
If you have rootkit check enabled, configure it to use one of the policy files.
you may have to configure the policy file to check for the specific service you want.
SystemAli
Jun 25, 2011, 1:33:08 AM6/25/11
to ossec...@googlegroups.com
Chris :
I tried to call the "ossec-reportd" on the manage, but all i get is :- -"bash: /var/ossec/etc/ossec-reportd: No such file or directory"
what am i missing ? or m i calling it from the wrong location ?
SystemAli
Jun 25, 2011, 3:20:59 AM6/25/11
to ossec...@googlegroups.com
Chris :
I am trying to read the logs via this command :- zcat /var/ossec/logs/alerts/2011/Jun/ossec-archive-23.log.gz | /var/ossec/bin/ossec-reportd
But all i get is :-
2011/06/25 12:02:17 ossec-reportd: INFO: Started (pid: 7610).
2011/06/25 12:02:22 ossec-reportd: INFO: Report completed and zero alerts post-filter.
where is the report ?
dan (ddp)
Jun 25, 2011, 8:41:29 AM6/25/11
to ossec...@googlegroups.com
It says there were no alerts, so there is no report.
> I am trying to read the logs via this command :- *zcat
> /var/ossec/logs/alerts/2011/Jun/ossec-archive-23.log.gz |
> /var/ossec/bin/ossec-reportd*
> /var/ossec/logs/alerts/2011/Jun/ossec-archive-23.log.gz |
> /var/ossec/bin/ossec-reportd*
>
> But all i get is :-
>
> 2011/06/25 12:02:17 ossec-reportd: INFO: Started (pid: 7610).
> 2011/06/25 12:02:22 ossec-reportd: INFO: Report completed and zero alerts
> post-filter.
>
> where is the report ?
>
>
>
> On Sat, Jun 25, 2011 at 11:03 AM, SystemAli <syst...@gmail.com> wrote:
>
>> Chris :
>>
>> I tried to call the "ossec-reportd" on the manage, but all i get is*:- -"bash: /var/ossec/etc/ossec-reportd: No such file or directory"
>> *
>> *
>> *
>> *
>> *
>> *
>> what am i missing ? or m i calling it from the wrong location ?
>> *
>> *
>> *
>> *
>> *
>> *
>> *
>> On Fri, Jun 24, 2011 at 6:53 PM, Christopher Moraes <cmora...@gmail.com
>> > wrote:
>>
>>> You should check out the policy auditing feature. This is a part of
>>> rootkit check.
>>>
>>> If you have rootkit check enabled, configure it to use one of the policy
>>> files.
>>> you may have to configure the policy file to check for the specific
>>> service you want.
>>>
>>>
>>> On Thu, Jun 23, 2011 at 5:00 PM, SystemAli <syst...@gmail.com> wrote:
>>>
>>>> great..i see them getting logged there :) Thank you...
>>>>
>>>> Secondly ..i need to monitor additional services on the agent, how can id
>>>> to that so it oo gets logged on the server ? for eg..failed services like
>>>> mail / ftp / sshd etc etc
>>>>
>>>
>>>
>>
>>
>> --
>> "Want to be a leader? Wash the Dishes When Nobody Else Will<http://thesash.me/wash-the-dishes-when-nobody-else-will>
>> "
>>
>
>
>
> --
> "Want to be a leader? Wash the Dishes When Nobody Else
Reply all
Reply to author
Forward
0 new messages