Re: [ossec-list] Re: Consolidating ossec.log and active-responses.log into alert.log and exporting it to a syslog server

Thu, 06 Jan 2011 08:56:21 -0800

You also need to make sure your active response works without ossec. If it won't work manually, it won't work as a script. 

On 01/05/2011 02:51 PM, dan wrote:

On Wed, Jan 05, 2011 at 11:06:29AM -0800, Saket wrote:

Indeed !

But, there is a feature to follow local files. Like how we follow /var/
log/message and /var/log/secure in linux and
winEvtlog from Windows, can we follow ossec.log and active-
responses.log as a localfile aswell, ideally it should log every
change in these to files to the alert.log

It clearly says analyzing ossec.log and active-responses.log  in the
ossec.log but it doesnt seem to work.

Please Advice.

Thanks,
Saket


You would need to create rules for the log messages. If there isn't a
rule that matches, an alert will not fire.
dan



On Jan 5, 6:44?am, "ddp...@gmail.com"<ddp...@gmail.com>  wrote:

Alerts.log only gets alerts. The syslog client in ossec only sends alerts. Not 
all log messages will get forwarded from the manager to an external syslog 
server.

-----Original Message-----
From: Saket
Sent: ?01/04/2011 6:49:57 PM
Subject: ?[ossec-list] Consolidating ossec.log and active-responses.log into 
alert.log and exporting it to a syslog server

Hi,

I am trying to consolidate the active-responses.log and the ossec.log
using the workaround provided in the thread. I have configured a
syslog export of logs. So as of now all the alerts.log is being
exported to the syslog server. But for some reason the other files are
not being sent.

I have included the following in the ossec.conf file:

<syslog_output>
<server>x.x.x.x</server>
<syslog_output>

<localfile>
<location>/var/ossec/logs/ossec.log</location>
<log_format>syslog</log_format>
</localfile>

<localfile>
<location>/var/ossec/logs/active-responses.log</location>
<log_format>syslog</log_format>
</localfile>

I checked the ossec.log file and it clearly says:

Analysing File: '/var/ossec/logs/active-responses.log' and
?'/var/ossec/logs/ossec.log'

But, whatever is being written to these 2 files are not being exported
or written to the alerts.log.

Is there anything wrong in my configuration or am I missing something
here?

Please advice.

Thanks,
Saket


--
R. Loyd Darby, OSSIM-OCSE
Project Manager DOC/NOAA/NMFS
Infrastructure coordinator
Southeast Fisheries Science Center
305-361-4297

Reply via email to