Hi,
I have the exact same deployment scenario (ossec running off
a syslog-ng centralized log) and requirement. i.e. to identify
if some servers/devices stop logging.
Ossec does not support this by default, but I'm thinking of
using the active-response feature to do this.
What I *plan* to do is -
1. Setup a rule that will fire an alert on every log
2. Setup an active response command that will get invoked
for every log message. The command will pass the 'srcip' to a
daemon process (which has to be developed).
3. The daemon process will keep a track of srcips and will
generate an alert if a source stops logging for a certain amount
of time.
The downside to this is that there will be a performance hit
since ossec is firing an alert on every log message. I don't
know how much of a performance hit this will be, but OSSEC
currently exceeds my required EPS by a factor of 2, so I know I
have some room to play with.
On Wed, Dec 15, 2010 at 5:30 AM,
NewRules
<ner...@gmail.com>
wrote:
Hi,
I'm using ossec as a log corellator.
For log centralization I'm using syslog-ng (for formatting
features),
thus im'not using ossec agents for log collection.
I wanna know if there is any option to set an alert when no
logs or an
unusual amount of log from a certain host is noticed.
The problem I've been through is that after servers reboot,
syslog-ng
agents did not restart for some reason and thus they were
not sending
logs anymore. Ossec did not warned me about it.
How is it possible to set this kind of alert ?
Thanks,