On Tue, Sep 10, 2013 at 10:14 AM, frwa onto <[email protected]> wrote: > Dear DAn, > Sorry I will limit my question. > 1. How to manually update the rules?
Either add your own to local_rules.xml, download the latest rules from the repository, or update your OSSEC installation. > 2. Here I dont see any rules.IT does not state what rule > Any entry in alerts.log is there because the log message triggered a rule. The rule id is mentioned in each entry. For example: ** Alert 1378572677.0: - syslog,sshd,authentication_success, 2013 Sep 08 00:51:17 capture->/var/log/secure Rule: 5715 (level 3) -> 'SSHD authentication success.' Src IP: 60.50.38.78 User: root Sep 8 00:51:17 capture sshd[11987]: Accepted password for root from **.**.**.78 port 3516 ssh2 The above alert was for rule 5715. If you look in /var/ossec/rules/sshd_rules.xml you should see rule 5715. >> 2013/08/31 15:12:15 ossec-logcollector: INFO: Started (pid: 5972). >> 2013/08/31 15:12:15 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' >> not accessible: 'Connection refused'. >> 2013/08/31 15:12:15 ossec-analysisd(1301): ERROR: Unable to connect to >> active response queue. > > Isnt active response a key for ossec? How to enable it and what is does? > You don't have to use it. > Thank you very much. > > > > On Tuesday, September 10, 2013 9:12:09 PM UTC+8, dan (ddpbsd) wrote: >> >> On Sat, Sep 7, 2013 at 1:03 PM, frwa onto <[email protected]> wrote: >> > Dear Dan, >> > Yes I went into the ossec.log and saw like below. I got >> > few >> > things to ask here first I saw it say 1229 total rules enabled. Will the >> > rules increase by itself or need manual intervention ? Why some are >> > showing >> >> You will have to update the rules manually (for now). >> >> > as errors? Another error is this one Queue '/queue/alerts/ar' not >> >> What rules are showing up as errors? >> >> > accessible: 'Connection refused'.? >> >> Are you using active response? If not, ignore. >> >> > >> > >> > 2013/08/31 15:12:10 ossec-monitord: INFO: Started (pid: 5986). >> > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing file: >> > '/var/log/messages'. >> > 2013/08/31 15:12:15 ossec-logcollector(1103): ERROR: Unable to open file >> > '/var/log/authlog'. >> > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing file: >> > '/var/log/authlog'. >> > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing file: >> > '/var/log/secure'. >> > 2013/08/31 15:12:15 ossec-logcollector(1103): ERROR: Unable to open file >> > '/var/log/xferlog'. >> > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing file: >> > '/var/log/xferlog'. >> > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing file: >> > '/var/log/maillog'. >> > 2013/08/31 15:12:15 ossec-logcollector(1103): ERROR: Unable to open file >> > '/var/www/logs/access_log'. >> > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing file: >> > '/var/www/logs/access_log'. >> > 2013/08/31 15:12:15 ossec-logcollector(1103): ERROR: Unable to open file >> > '/var/www/logs/error_log'. >> > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing file: >> > '/var/www/logs/error_log'. >> > 2013/08/31 15:12:15 ossec-logcollector: INFO: Started (pid: 5972). >> > 2013/08/31 15:12:15 ossec-analysisd(1210): ERROR: Queue >> > '/queue/alerts/ar' >> > not accessible: 'Connection refused'. >> > 2013/08/31 15:12:15 ossec-analysisd(1301): ERROR: Unable to connect to >> > active response queue. >> > 2013/08/31 15:12:15 ossec-analysisd: INFO: Connected to >> > '/queue/alerts/execq' (exec queue) >> > 2013/08/31 15:12:16 ossec-syscheckd: INFO: Started (pid: 5982). >> > 2013/08/31 15:12:16 ossec-rootcheck: INFO: Started (pid: 5982). >> > 2013/08/31 15:12:16 ossec-syscheckd: INFO: Monitoring directory: '/etc'. >> > 2013/08/31 15:12:16 ossec-syscheckd: INFO: Monitoring directory: >> > '/usr/bin'. >> > 2013/08/31 15:12:16 ossec-syscheckd: INFO: Monitoring directory: >> > '/usr/sbin'. >> > 2013/08/31 15:12:16 ossec-syscheckd: INFO: Monitoring directory: '/bin'. >> > 2013/08/31 15:12:16 ossec-syscheckd: INFO: Monitoring directory: >> > '/sbin'. >> > 2013/08/31 15:14:10 ossec-syscheckd: INFO: Starting syscheck scan >> > (forwarding database). >> > 2013/08/31 15:14:10 ossec-syscheckd: INFO: Starting syscheck database >> > (pre-scan). >> > 2013/08/31 15:14:25 ossec-logcollector(1904): INFO: File not available, >> > ignoring it: '/var/log/authlog'. >> > 2013/08/31 15:14:25 ossec-logcollector(1904): INFO: File not available, >> > ignoring it: '/var/log/xferlog'. >> > 2013/08/31 15:14:25 ossec-logcollector(1904): INFO: File not available, >> > ignoring it: '/var/www/logs/access_log'. >> > 2013/08/31 15:14:25 ossec-logcollector(1904): INFO: File not available, >> > ignoring it: '/var/www/logs/error_log'. >> > 2013/08/31 15:20:13 ossec-testrule: INFO: Reading local decoder file. >> > 2013/08/31 15:20:13 ossec-testrule: INFO: Started (pid: 6010). >> > 2013/08/31 15:20:14 ossec-remoted: INFO: Started (pid: 6064). >> > 2013/08/31 15:26:10 ossec-syscheckd: INFO: Finished creating syscheck >> > database (pre-scan completed). >> > 2013/08/31 15:26:24 ossec-syscheckd: INFO: Ending syscheck scan >> > (forwarding >> > database). >> > 2013/08/31 15:27:04 ossec-rootcheck: INFO: Starting rootcheck scan. >> > 2013/08/31 15:31:02 ossec-rootcheck: INFO: Ending rootcheck scan. >> > 2013/08/31 16:47:07 ossec-execd: INFO: Active response command not >> > present: >> > '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it on this >> > system. >> > 2013/09/01 00:00:30 ossec-monitord: No previous md5 checksum found: >> > '/logs/archives/2013/Aug/ossec-archive-30.log.sum'. Starting over. >> > 2013/09/01 00:00:30 ossec-monitord: No previous sha1 checksum found: >> > '/logs/archives/2013/Aug/ossec-archive-30.log.sum'. Starting over. >> > 2013/09/01 00:00:30 ossec-monitord: No previous md5 checksum found: >> > '/logs/alerts/2013/Aug/ossec-alerts-30.log.sum'. Starting over. >> > 2013/09/01 00:00:30 ossec-monitord: No previous sha1 checksum found: >> > '/logs/alerts/2013/Aug/ossec-alerts-30.log.sum'. Starting over. >> > 2013/09/01 00:00:30 ossec-monitord: No previous md5 checksum found: >> > '/logs/firewall/2013/Aug/ossec-firewall-30.log.sum'. Starting over. >> > 2013/09/01 00:00:30 ossec-monitord: No previous sha1 checksum found: >> > '/logs/firewall/2013/Aug/ossec-firewall-30.log.sum'. Starting over. >> > 2013/09/01 11:31:02 ossec-syscheckd: INFO: Starting syscheck scan. >> > 2013/09/01 11:43:25 ossec-syscheckd: INFO: Ending syscheck scan. >> > 2013/09/01 11:48:25 ossec-rootcheck: INFO: Starting rootcheck scan. >> > 2013/09/01 11:51:57 ossec-rootcheck: INFO: Ending rootcheck scan. >> > 2013/09/01 21:29:43 ossec-monitord(1225): INFO: SIGNAL Received. Exit >> > Cleaning... >> > 2013/09/01 21:29:43 ossec-logcollector(1225): INFO: SIGNAL Received. >> > Exit >> > Cleaning... >> > 2013/09/01 21:29:43 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit >> > Cleaning... >> > 2013/09/01 21:29:43 ossec-analysisd(1225): INFO: SIGNAL Received. Exit >> > Cleaning... >> > 2013/09/01 21:29:43 ossec-execd(1314): INFO: Shutdown received. Deleting >> > responses. >> > 2013/09/01 21:29:43 ossec-execd(1225): INFO: SIGNAL Received. Exit >> > Cleaning... >> > 2013/09/01 21:32:07 ossec-testrule: INFO: Reading local decoder file. >> > 2013/09/01 21:32:07 ossec-testrule: INFO: Started (pid: 1246). >> > 2013/09/01 21:32:08 DEBUG: I am creating the SQLite table. >> > 2013/09/01 21:32:08 ossec-execd: INFO: Started (pid: 1269). >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading local decoder file. >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'rules_config.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'pam_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'sshd_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'telnetd_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'syslog_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'arpwatch_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'symantec-av_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'symantec-ws_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'pix_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'named_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'smbd_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'vsftpd_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'pure-ftpd_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'proftpd_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'ms_ftpd_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'ftpd_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'hordeimp_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'roundcube_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'wordpress_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'cimserver_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'vpopmail_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'vmpop3d_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'courier_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'web_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'web_appsec_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'apache_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'nginx_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'php_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'mysql_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'postgresql_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'ids_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'squid_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'firewall_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'cisco-ios_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'netscreenfw_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'sonicwall_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'postfix_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'sendmail_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'imapd_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'mailscanner_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'dovecot_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'ms-exchange_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'racoon_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'vpn_concentrator_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'spamd_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'msauth_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'mcafee_av_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'trend-osce_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'ms-se_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'zeus_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'solaris_bsm_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'vmware_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'ms_dhcp_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'asterisk_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'ossec_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'attack_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> > 'local_rules.xml' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Total rules enabled: '1229' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: '/etc/mtab' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: >> > '/etc/hosts.deny' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: >> > '/etc/mail/statistics' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: >> > '/etc/random-seed' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime' >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: >> > '/etc/httpd/logs' >> > >> > >> > 2013/09/01 21:32:14 ossec-logcollector(1950): INFO: Analyzing file: >> > '/var/log/messages'. >> > 2013/09/01 21:32:14 ossec-logcollector(1103): ERROR: Unable to open file >> > '/var/log/authlog'. >> > 2013/09/01 21:32:14 ossec-logcollector(1950): INFO: Analyzing file: >> > '/var/log/authlog'. >> > 2013/09/01 21:32:14 ossec-logcollector(1950): INFO: Analyzing file: >> > '/var/log/secure'. >> > 2013/09/01 21:32:14 ossec-logcollector(1103): ERROR: Unable to open file >> > '/var/log/xferlog'. >> > 2013/09/01 21:32:14 ossec-logcollector(1950): INFO: Analyzing file: >> > '/var/log/xferlog'. >> > 2013/09/01 21:32:14 ossec-logcollector(1950): INFO: Analyzing file: >> > '/var/log/maillog'. >> > >> > 2013/09/01 21:32:14 ossec-analysisd(1210): ERROR: Queue >> > '/queue/alerts/ar' >> > not accessible: 'Connection refused'. >> > 2013/09/01 21:32:14 ossec-analysisd(1301): ERROR: Unable to connect to >> > active response queue. >> > >> > 2013/09/06 03:18:42 ossec-rootcheck: INFO: Starting rootcheck scan. >> > 2013/09/06 03:22:50 ossec-rootcheck: INFO: Ending rootcheck scan. >> > 2013/09/06 16:33:13 ossec-testrule: INFO: Reading local decoder file. >> > 2013/09/06 16:33:13 ossec-testrule: INFO: Started (pid: 10245). >> > 2013/09/06 16:33:31 ossec-testrule: INFO: Reading local decoder file. >> > 2013/09/06 16:33:31 ossec-testrule: INFO: Started (pid: 10248). >> > 2013/09/06 16:34:01 ossec-testrule: INFO: Reading local decoder file. >> > 2013/09/06 16:34:01 ossec-testrule: INFO: Started (pid: 10250). >> > 2013/09/06 23:17:50 ossec-syscheckd: INFO: Starting syscheck scan. >> > 2013/09/06 23:30:42 ossec-syscheckd: INFO: Ending syscheck scan. >> > 2013/09/06 23:35:42 ossec-rootcheck: INFO: Starting rootcheck scan. >> > 2013/09/06 23:39:49 ossec-rootcheck: INFO: Ending rootcheck scan. >> > 2013/09/07 19:34:49 ossec-syscheckd: INFO: Starting syscheck scan. >> > 2013/09/07 19:47:41 ossec-syscheckd: INFO: Ending syscheck scan. >> > 2013/09/07 19:52:41 ossec-rootcheck: INFO: Starting rootcheck scan. >> > 2013/09/07 19:56:47 ossec-rootcheck: INFO: Ending rootcheck scan. >> > >> > The rootcheck runs by itself is it automatically? >> > >> >> Looks like it. >> >> > >> > NExt I went into alerts.log. So will all this be alerted via email or >> > only >> > some alerts? >> > >> >> Some alerts will trigger emails, some will not. You can customize a lot of >> that. >> >> > Saw this. >> > >> > ** Alert 1378572677.0: - syslog,sshd,authentication_success, >> > 2013 Sep 08 00:51:17 capture->/var/log/secure >> > Rule: 5715 (level 3) -> 'SSHD authentication success.' >> > Src IP: 60.50.38.78 >> > User: root >> > Sep 8 00:51:17 capture sshd[11987]: Accepted password for root from >> > **.**.**.78 port 3516 ssh2 >> > >> > ** Alert 1378572679.290: - pam,syslog,authentication_success, >> > 2013 Sep 08 00:51:19 capture->/var/log/secure >> > Rule: 5501 (level 3) -> 'Login session opened.' >> > Sep 8 00:51:17 capture sshd[11987]: pam_unix(sshd:session): session >> > opened >> > for user root by (uid=0) >> > >> > ** Alert 1378572745.548: - syslog,sshd,authentication_success, >> > 2013 Sep 08 00:52:25 capture->/var/log/secure >> > Rule: 5715 (level 3) -> 'SSHD authentication success.' >> > Src IP: 60.50.38.78 >> > User: root >> > Sep 8 00:52:24 capture sshd[11985]: Accepted password for root from >> > **.**.**.78 port 3512 ssh2 >> > >> > ** Alert 1378572745.840: - pam,syslog,authentication_success, >> > 2013 Sep 08 00:52:25 capture->/var/log/secure >> > Rule: 5501 (level 3) -> 'Login session opened.' >> > Sep 8 00:52:25 capture sshd[11985]: pam_unix(sshd:session): session >> > opened >> > for user root by (uid=0) >> > >> > >> > Another thing this process zcat /var/log/*.gz | >> > /var/ossec/bin/ossec-logtest >> > basically what are we going to look out from here? >> > >> >> That will provide some alerts. In fact, the "-a" flag to ossec-logtest >> should provide alerts very similar to what is in alerts.log. >> >> Other than that, this question is too broad for me to answer. >> >> > >> > >> > >> > >> > On Friday, September 6, 2013 11:14:40 PM UTC+8, dan (ddpbsd) wrote: >> >> >> >> On Fri, Sep 6, 2013 at 4:51 AM, frwa onto <[email protected]> wrote: >> >> > Dear Dan, >> >> > I know your option you gave is just for single file. I >> >> > Want to >> >> > do the whole of /var/log how to go about with that which I think >> >> > that >> >> > is >> >> > what ossec-logtest does right. >> >> > I know neither of this does now work.. >> >> > cat /var/log | /var/ossec/bin/ossec-logtest > >> >> > /usr/local/ossetest.txt >> >> > 2>&1 >> >> > cat: /var/log: Is a directory >> >> > [root@capture var]# zcat /var/log | /var/ossec/bin/ossec-logtest > >> >> > /usr/local/ossetest.txt 2>&1 >> >> > gzip: /var/log is a directory -- ignored >> >> > >> >> >> >> You're running this on a linux or unix-like system, use the tools >> >> available. >> >> zcat /var/log/*.gz | /var/ossec/bin/ossec-logtest >> >> >> >> >> >> > How to confirm that syscheck is running. Normally where and what are >> >> > the >> >> > logfiles of ossec for us to to view or look?. Thank you. Sorry very >> >> > new >> >> > to >> >> > this tool. >> >> > >> >> >> >> /var/ossec/logs/ossec.log contains information like when syscheck runs. >> >> /var/ossec/logs/alerts/alerts.log has alert information. >> >> >> >> >> >> > On Thursday, September 5, 2013 9:25:13 PM UTC+8, dan (ddpbsd) wrote: >> >> >> >> >> >> On Wed, Sep 4, 2013 at 1:54 PM, frwa onto <[email protected]> wrote: >> >> >> > Dear Dan, >> >> >> > For ossec-logtest I just ran like this >> >> >> > ./ossec-logtest? >> >> >> > How >> >> >> >> >> >> The easiest way is to pipe the log file through logtest: >> >> >> cat /path/to/logfile | /var/ossec/bin/ossec-logtest >> >> >> >> >> >> Use zcat if the logfile is compressed. If you want to redirect the >> >> >> output to a file, use this: >> >> >> cat /path/to/logfile | /var/ossec/bin/ossec-logtest > /path/to/file >> >> >> 2>&1 >> >> >> >> >> >> >> >> >> > about the syscheck how to run it? What will both of this script >> >> >> > eventually >> >> >> >> >> >> By default, syscheck will run when OSSEC starts. >> >> >> >> >> >> > be doing? Do I need to run the rootcheck ? >> >> >> > >> >> >> >> >> >> Same as syscheck I believe. >> >> >> >> >> >> > On Wednesday, September 4, 2013 9:38:07 PM UTC+8, dan (ddpbsd) >> >> >> > wrote: >> >> >> >> >> >> >> >> On Tue, Sep 3, 2013 at 12:36 AM, frwa onto <[email protected]> >> >> >> >> wrote: >> >> >> >> > Hi All, >> >> >> >> > I just rebuild and install ossec on my centos 6.4 >> >> >> >> > machine. >> >> >> >> > So >> >> >> >> > what >> >> >> >> > is the next step be done as this is any existing machine and I >> >> >> >> > want >> >> >> >> > to >> >> >> >> > check >> >> >> >> > for any previous intrusion? I also want to get alerts on >> >> >> >> > updates >> >> >> >> > on >> >> >> >> > my >> >> >> >> > local >> >> >> >> > files or any new files created? I am sorry very new to it. >> >> >> >> > >> >> >> >> >> >> >> >> You can use ossec-logtest to check old log files, and syscheck >> >> >> >> has a >> >> >> >> default configuration that can cover most needs. If you have >> >> >> >> custom >> >> >> >> locations that must be monitored, you should add them to the >> >> >> >> ossec.conf in the syscheck section. >> >> >> >> >> >> >> >> > -- >> >> >> >> > >> >> >> >> > --- >> >> >> >> > You received this message because you are subscribed to the >> >> >> >> > Google >> >> >> >> > Groups >> >> >> >> > "ossec-list" group. >> >> >> >> > To unsubscribe from this group and stop receiving emails from >> >> >> >> > it, >> >> >> >> > send >> >> >> >> > an >> >> >> >> > email to [email protected]. >> >> >> >> > For more options, visit >> >> >> >> > https://groups.google.com/groups/opt_out. >> >> >> > >> >> >> > -- >> >> >> > >> >> >> > --- >> >> >> > You received this message because you are subscribed to the Google >> >> >> > Groups >> >> >> > "ossec-list" group. >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> > send >> >> >> > an >> >> >> > email to [email protected]. >> >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
