Hi, I noticed that when I send alerts to a syslog server all the logs show up in the following format:
Date Time Hostname ossec: Alert Level ............etc I need to know if its possible to change ossec: to something else? Looks like every log has this static text and I want to know if we can change that? and is it possible to include the year in the date? Here is a typical log: Jan 7 11:34:25 ossecserver ossec: Alert Level: 4; Rule: 11 - Excessive number of events (above normal).; Location: ossecserver- >rootcheck; The average number of logs between 11:00 and 12:00 is 114. We reached 365. Thanks, Saket On Jan 6, 8:30 pm, "dan (ddp)" <ddp...@gmail.com> wrote: > Hi, > > On Thu, Jan 6, 2011 at 7:56 PM, Saket <saketbajo...@gmail.com> wrote: > > I was able to successfully get the active-responses.log to alert via > > syslog > > > Here is my log : Thu Jan 6 16:18:29 EST 2011 /var/ossec/active- > > response/bin/host-deny.sh add - 192.100.229.132 1294348709.10093 570 > > > I am trying to understand what each of these fields mean > > > Action: /var/ossec/active-response/bin/host-deny.sh add > > SourceIP: 192.100.229.132 > > > Whats 1294348709.10093 and 5706 ?? > > Timestamp and Rule ID. > > > > > I wrote a decoder under decoder.xml and rule under local_rule.xml > > You should put the decoder in local_decoder.xml so it doesn't get > overwritten during an upgrade. > > > I have some questions: > > > 1. I had defined the order action,srcip,extra_data but they dont show > > up in the alerts.log > > They're in the log message, they won't be broken out in the alerts.log file. > > > 2. I defined a custom rule under local_rule.xml but, I am not sure > > what ID to give there. How do I find out which Rule ID is not used? > > http://www.ossec.net/wiki/Know_How:RuleIDGrouping > Start with 100000. > > > I am trying to identify each log uniquely by its rule id so I need to > > make sure I give a unique rule id to this custom rule. > > > Please advice. > > > Thanks, > > Saket > > > On Jan 6, 11:55 am, "loyd. darby" <loyd.da...@noaa.gov> wrote: > >> You also need to make sure your active response works without ossec. > >> If it won't work manually, it won't work as a script. > > >> On 01/05/2011 02:51 PM, dan wrote: > > >> > On Wed, Jan 05, 2011 at 11:06:29AM -0800, Saket wrote: > >> >> Indeed ! > > >> >> But, there is a feature to follow local files. Like how we follow /var/ > >> >> log/message and /var/log/secure in linux and > >> >> winEvtlog from Windows, can we follow ossec.log and active- > >> >> responses.log as a localfile aswell, ideally it should log every > >> >> change in these to files to the alert.log > > >> >> It clearly says analyzing ossec.log and active-responses.log in the > >> >> ossec.log but it doesnt seem to work. > > >> >> Please Advice. > > >> >> Thanks, > >> >> Saket > > >> > You would need to create rules for the log messages. If there isn't a > >> > rule that matches, an alert will not fire. > >> > dan > > >> >> On Jan 5, 6:44?am, "ddp...@gmail.com"<ddp...@gmail.com> wrote: > >> >>> Alerts.log only gets alerts. The syslog client in ossec only sends > >> >>> alerts. Not all log messages will get forwarded from the manager to an > >> >>> external syslog server. > > >> >>> -----Original Message----- > >> >>> From: Saket > >> >>> Sent: ?01/04/2011 6:49:57 PM > >> >>> Subject: ?[ossec-list] Consolidating ossec.log and > >> >>> active-responses.log into alert.log and exporting it to a syslog server > > >> >>> Hi, > > >> >>> I am trying to consolidate the active-responses.log and the ossec.log > >> >>> using the workaround provided in the thread. I have configured a > >> >>> syslog export of logs. So as of now all the alerts.log is being > >> >>> exported to the syslog server. But for some reason the other files are > >> >>> not being sent. > > >> >>> I have included the following in the ossec.conf file: > > >> >>> <syslog_output> > >> >>> <server>x.x.x.x</server> > >> >>> <syslog_output> > > >> >>> <localfile> > >> >>> <location>/var/ossec/logs/ossec.log</location> > >> >>> <log_format>syslog</log_format> > >> >>> </localfile> > > >> >>> <localfile> > >> >>> <location>/var/ossec/logs/active-responses.log</location> > >> >>> <log_format>syslog</log_format> > >> >>> </localfile> > > >> >>> I checked the ossec.log file and it clearly says: > > >> >>> Analysing File: '/var/ossec/logs/active-responses.log' and > >> >>> ?'/var/ossec/logs/ossec.log' > > >> >>> But, whatever is being written to these 2 files are not being exported > >> >>> or written to the alerts.log. > > >> >>> Is there anything wrong in my configuration or am I missing something > >> >>> here? > > >> >>> Please advice. > > >> >>> Thanks, > >> >>> Saket > > >> -- > >> R. Loyd Darby, OSSIM-OCSE > >> Project Manager DOC/NOAA/NMFS > >> Infrastructure coordinator > >> Southeast Fisheries Science Center > >> 305-361-4297
