On Tue, Sep 10, 2013 at 1:55 PM, frwa onto <[email protected]> wrote: > Dear Dan, > This show as server. > > DIRECTORY="/var/ossec" > VERSION="2.7" > DATE="Sat Aug 31 14:42:53 MYT 2013" > TYPE="server" > > Whereas I just need it to run as local for single machine is this fine ? >
I can't think of a reason it wouldn't be ok, but I don't think I've tried it. > Ok I have seen this /var/ossec/queue/syscheck/ but its just a limited number > of files right? Not for everyfile. How do they validate a file if have been There should be 1-2 files per system. > changes surely the checksum will change and is that change which will be > notified right? If the file changes, the checksum probably changes. This triggers an alert. > > Thank you. > > > On Wed, Sep 11, 2013 at 1:40 AM, dan (ddp) <[email protected]> wrote: >> >> On Tue, Sep 10, 2013 at 1:37 PM, frwa onto <[email protected]> wrote: >> > Dear Dan, >> > How to confirm what type of installation is mine? So where >> > is >> >> cat /etc/ossec-init.conf >> >> > the checksum db is kept? Can I say that syscheck run each time will >> > update >> >> /var/ossec/queue/syscheck/SOMETHING >> >> > the checksum? >> > >> >> The checksum will be updated when a scan is run after the file is >> modified. >> >> > Thank you. >> > >> > >> > On Wed, Sep 11, 2013 at 1:14 AM, dan (ddp) <[email protected]> wrote: >> >> >> >> On Tue, Sep 10, 2013 at 1:08 PM, frwa onto <[email protected]> wrote: >> >> > Dear Dan, >> >> > The problem now I had to rebuild the ossec and >> >> > installed >> >> > it. >> >> > But normally installation will ask is it local,server,agent. So in my >> >> > case >> >> > all this was not asked. I guess my installation is local. >> >> > >> >> > I installed using this command yum install >> >> > ossec-hids-server-2.7-31.art.x86_64.rpm >> >> > ossec-hids-2.7-31.art.x86_64.rpm. I >> >> > know where to setup the email that is >> >> > /var/ossec/etc/ossec-server.conf. >> >> > Anything else I must configure? I know I read some article say that >> >> > Active-Response can be risky if not set well. >> >> > >> >> >> >> I don't know anything about the RPMs. >> >> >> >> > I notice my .conf file have this. Should I remove it. >> >> > >> >> > <!-- Active Response Config --> >> >> > <active-response> >> >> > <!-- This response is going to execute the host-deny >> >> > - command for every event that fires a rule with >> >> > - level (severity) >= 6. >> >> > - The IP is going to be blocked for 600 seconds. >> >> > --> >> >> > <command>host-deny</command> >> >> > <location>local</location> >> >> > <level>6</level> >> >> > <timeout>600</timeout> >> >> > </active-response> >> >> > >> >> > <active-response> >> >> > <!-- Firewall Drop response. Block the IP for >> >> > - 600 seconds on the firewall (iptables, >> >> > - ipfilter, etc). >> >> > --> >> >> > <command>firewall-drop</command> >> >> > <location>local</location> >> >> > <level>6</level> >> >> > <timeout>600</timeout> >> >> > </active-response> >> >> > >> >> > So in my case will ossec go and get checksum for all my files ? >> >> > >> >> >> >> AR does not get checksums, syscheck does that. >> >> >> >> > Thank you. >> >> > >> >> > >> >> > >> >> > On Wed, Sep 11, 2013 at 12:53 AM, dan (ddp) <[email protected]> wrote: >> >> >> >> >> >> On Tue, Sep 10, 2013 at 12:41 PM, frwa onto <[email protected]> >> >> >> wrote: >> >> >> > Dear Dan, >> >> >> > >> >> >> > 1. Ok about the rules I wont take it as a concern for now. >> >> >> > >> >> >> > 2. Ok now I am clear among both the logs. >> >> >> > >> >> >> > 3. Since you said that active response should react based on the >> >> >> > logs >> >> >> > rite >> >> >> > why do not want me to use it ? >> >> >> > >> >> >> >> >> >> I never said you shouldn't use it, I just said it wasn't necessary. >> >> >> >> >> >> > 4. Brief can I say that ossec will be reading the log files and >> >> >> > accordingly >> >> >> > it will react based on the logs. Can in react on files that are >> >> >> > being >> >> >> > modified etc? >> >> >> > >> >> >> >> >> >> Agents get a checksum for files, and pass this checksum to the >> >> >> server >> >> >> in a log message. That log message is then analyzed, the checksum >> >> >> compared to the checksum in the db ,and if necessary an alert is >> >> >> created. Yes, AR can be triggered by files being modified. >> >> >> >> >> >> > Thank you. >> >> >> > >> >> >> > >> >> >> > On Wed, Sep 11, 2013 at 12:07 AM, dan (ddp) <[email protected]> >> >> >> > wrote: >> >> >> >> >> >> >> >> On Tue, Sep 10, 2013 at 11:59 AM, frwa onto <[email protected]> >> >> >> >> wrote: >> >> >> >> > Dear Dan, >> >> >> >> > >> >> >> >> > 1. IS there any link on how to download and updates the latest >> >> >> >> > rules. >> >> >> >> > Because how to update the installation(uninstall and reinstall >> >> >> >> > ?) >> >> >> >> > unless >> >> >> >> > it >> >> >> >> > installed via yum rite ? But in my case my .rpm is rebuild? >> >> >> >> > >> >> >> >> >> >> >> >> I don't know anything about the RPMs. Just replace the rules >> >> >> >> files >> >> >> >> with newer copies. The rules don't get updated very often right >> >> >> >> now, >> >> >> >> so it isn't a big concern. >> >> >> >> >> >> >> >> > 2. Ok I can see all the logs in the /var/ossec/logs/alerts have >> >> >> >> > a >> >> >> >> > rule >> >> >> >> > number. How about the one in /var/ossec/ossec.log what does >> >> >> >> > this >> >> >> >> > represent >> >> >> >> > cause all the errors I post earlier was from this ossec.log. >> >> >> >> > >> >> >> >> >> >> >> >> Those are OSSEC logs. They are the logs from the OSSEC processes. >> >> >> >> >> >> >> >> > 3. I am trying to read from here on active-response >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > http://www.ossec.net/doc/syntax/head_ossec_config.active-response.html >> >> >> >> > actually what is it ? So you said dont need to use any specific >> >> >> >> > reason >> >> >> >> > or >> >> >> >> > drawback of it? >> >> >> >> > >> >> >> >> >> >> >> >> I find it difficult to believe you've done any research into >> >> >> >> OSSEC >> >> >> >> if >> >> >> >> you don't know what active response is. >> >> >> >> >> >> >> >> It's the capability for OSSEC to automatically do things based on >> >> >> >> logs >> >> >> >> received. >> >> >> >> >> >> >> >> > Thank you. >> >> >> >> > >> >> >> >> > >> >> >> >> > On Tue, Sep 10, 2013 at 11:17 PM, dan (ddp) <[email protected]> >> >> >> >> > wrote: >> >> >> >> >> >> >> >> >> >> On Tue, Sep 10, 2013 at 10:14 AM, frwa onto >> >> >> >> >> <[email protected]> >> >> >> >> >> wrote: >> >> >> >> >> > Dear DAn, >> >> >> >> >> > Sorry I will limit my question. >> >> >> >> >> > 1. How to manually update the rules? >> >> >> >> >> >> >> >> >> >> Either add your own to local_rules.xml, download the latest >> >> >> >> >> rules >> >> >> >> >> from >> >> >> >> >> the repository, or update your OSSEC installation. >> >> >> >> >> >> >> >> >> >> > 2. Here I dont see any rules.IT does not state what rule >> >> >> >> >> > >> >> >> >> >> >> >> >> >> >> Any entry in alerts.log is there because the log message >> >> >> >> >> triggered a >> >> >> >> >> rule. The rule id is mentioned in each entry. For example: >> >> >> >> >> ** Alert 1378572677.0: - syslog,sshd,authentication_success, >> >> >> >> >> 2013 Sep 08 00:51:17 capture->/var/log/secure >> >> >> >> >> Rule: 5715 (level 3) -> 'SSHD authentication success.' >> >> >> >> >> Src IP: 60.50.38.78 >> >> >> >> >> User: root >> >> >> >> >> Sep 8 00:51:17 capture sshd[11987]: Accepted password for >> >> >> >> >> root >> >> >> >> >> from >> >> >> >> >> **.**.**.78 port 3516 ssh2 >> >> >> >> >> >> >> >> >> >> The above alert was for rule 5715. If you look in >> >> >> >> >> /var/ossec/rules/sshd_rules.xml you should see rule 5715. >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> 2013/08/31 15:12:15 ossec-logcollector: INFO: Started (pid: >> >> >> >> >> >> 5972). >> >> >> >> >> >> 2013/08/31 15:12:15 ossec-analysisd(1210): ERROR: Queue >> >> >> >> >> >> '/queue/alerts/ar' >> >> >> >> >> >> not accessible: 'Connection refused'. >> >> >> >> >> >> 2013/08/31 15:12:15 ossec-analysisd(1301): ERROR: Unable to >> >> >> >> >> >> connect >> >> >> >> >> >> to >> >> >> >> >> >> active response queue. >> >> >> >> >> > >> >> >> >> >> > Isnt active response a key for ossec? How to enable it and >> >> >> >> >> > what >> >> >> >> >> > is >> >> >> >> >> > does? >> >> >> >> >> > >> >> >> >> >> >> >> >> >> >> You don't have to use it. >> >> >> >> >> >> >> >> >> >> > Thank you very much. >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >> > On Tuesday, September 10, 2013 9:12:09 PM UTC+8, dan >> >> >> >> >> > (ddpbsd) >> >> >> >> >> > wrote: >> >> >> >> >> >> >> >> >> >> >> >> On Sat, Sep 7, 2013 at 1:03 PM, frwa onto >> >> >> >> >> >> <[email protected]> >> >> >> >> >> >> wrote: >> >> >> >> >> >> > Dear Dan, >> >> >> >> >> >> > Yes I went into the ossec.log and saw like >> >> >> >> >> >> > below. >> >> >> >> >> >> > I >> >> >> >> >> >> > got >> >> >> >> >> >> > few >> >> >> >> >> >> > things to ask here first I saw it say 1229 total rules >> >> >> >> >> >> > enabled. >> >> >> >> >> >> > Will >> >> >> >> >> >> > the >> >> >> >> >> >> > rules increase by itself or need manual intervention ? >> >> >> >> >> >> > Why >> >> >> >> >> >> > some >> >> >> >> >> >> > are >> >> >> >> >> >> > showing >> >> >> >> >> >> >> >> >> >> >> >> You will have to update the rules manually (for now). >> >> >> >> >> >> >> >> >> >> >> >> > as errors? Another error is this one Queue >> >> >> >> >> >> > '/queue/alerts/ar' >> >> >> >> >> >> > not >> >> >> >> >> >> >> >> >> >> >> >> What rules are showing up as errors? >> >> >> >> >> >> >> >> >> >> >> >> > accessible: 'Connection refused'.? >> >> >> >> >> >> >> >> >> >> >> >> Are you using active response? If not, ignore. >> >> >> >> >> >> >> >> >> >> >> >> > >> >> >> >> >> >> > >> >> >> >> >> >> > 2013/08/31 15:12:10 ossec-monitord: INFO: Started (pid: >> >> >> >> >> >> > 5986). >> >> >> >> >> >> > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: >> >> >> >> >> >> > Analyzing >> >> >> >> >> >> > file: >> >> >> >> >> >> > '/var/log/messages'. >> >> >> >> >> >> > 2013/08/31 15:12:15 ossec-logcollector(1103): ERROR: >> >> >> >> >> >> > Unable >> >> >> >> >> >> > to >> >> >> >> >> >> > open >> >> >> >> >> >> > file >> >> >> >> >> >> > '/var/log/authlog'. >> >> >> >> >> >> > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: >> >> >> >> >> >> > Analyzing >> >> >> >> >> >> > file: >> >> >> >> >> >> > '/var/log/authlog'. >> >> >> >> >> >> > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: >> >> >> >> >> >> > Analyzing >> >> >> >> >> >> > file: >> >> >> >> >> >> > '/var/log/secure'. >> >> >> >> >> >> > 2013/08/31 15:12:15 ossec-logcollector(1103): ERROR: >> >> >> >> >> >> > Unable >> >> >> >> >> >> > to >> >> >> >> >> >> > open >> >> >> >> >> >> > file >> >> >> >> >> >> > '/var/log/xferlog'. >> >> >> >> >> >> > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: >> >> >> >> >> >> > Analyzing >> >> >> >> >> >> > file: >> >> >> >> >> >> > '/var/log/xferlog'. >> >> >> >> >> >> > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: >> >> >> >> >> >> > Analyzing >> >> >> >> >> >> > file: >> >> >> >> >> >> > '/var/log/maillog'. >> >> >> >> >> >> > 2013/08/31 15:12:15 ossec-logcollector(1103): ERROR: >> >> >> >> >> >> > Unable >> >> >> >> >> >> > to >> >> >> >> >> >> > open >> >> >> >> >> >> > file >> >> >> >> >> >> > '/var/www/logs/access_log'. >> >> >> >> >> >> > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: >> >> >> >> >> >> > Analyzing >> >> >> >> >> >> > file: >> >> >> >> >> >> > '/var/www/logs/access_log'. >> >> >> >> >> >> > 2013/08/31 15:12:15 ossec-logcollector(1103): ERROR: >> >> >> >> >> >> > Unable >> >> >> >> >> >> > to >> >> >> >> >> >> > open >> >> >> >> >> >> > file >> >> >> >> >> >> > '/var/www/logs/error_log'. >> >> >> >> >> >> > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: >> >> >> >> >> >> > Analyzing >> >> >> >> >> >> > file: >> >> >> >> >> >> > '/var/www/logs/error_log'. >> >> >> >> >> >> > 2013/08/31 15:12:15 ossec-logcollector: INFO: Started >> >> >> >> >> >> > (pid: >> >> >> >> >> >> > 5972). >> >> >> >> >> >> > 2013/08/31 15:12:15 ossec-analysisd(1210): ERROR: Queue >> >> >> >> >> >> > '/queue/alerts/ar' >> >> >> >> >> >> > not accessible: 'Connection refused'. >> >> >> >> >> >> > 2013/08/31 15:12:15 ossec-analysisd(1301): ERROR: Unable >> >> >> >> >> >> > to >> >> >> >> >> >> > connect >> >> >> >> >> >> > to >> >> >> >> >> >> > active response queue. >> >> >> >> >> >> > 2013/08/31 15:12:15 ossec-analysisd: INFO: Connected to >> >> >> >> >> >> > '/queue/alerts/execq' (exec queue) >> >> >> >> >> >> > 2013/08/31 15:12:16 ossec-syscheckd: INFO: Started (pid: >> >> >> >> >> >> > 5982). >> >> >> >> >> >> > 2013/08/31 15:12:16 ossec-rootcheck: INFO: Started (pid: >> >> >> >> >> >> > 5982). >> >> >> >> >> >> > 2013/08/31 15:12:16 ossec-syscheckd: INFO: Monitoring >> >> >> >> >> >> > directory: >> >> >> >> >> >> > '/etc'. >> >> >> >> >> >> > 2013/08/31 15:12:16 ossec-syscheckd: INFO: Monitoring >> >> >> >> >> >> > directory: >> >> >> >> >> >> > '/usr/bin'. >> >> >> >> >> >> > 2013/08/31 15:12:16 ossec-syscheckd: INFO: Monitoring >> >> >> >> >> >> > directory: >> >> >> >> >> >> > '/usr/sbin'. >> >> >> >> >> >> > 2013/08/31 15:12:16 ossec-syscheckd: INFO: Monitoring >> >> >> >> >> >> > directory: >> >> >> >> >> >> > '/bin'. >> >> >> >> >> >> > 2013/08/31 15:12:16 ossec-syscheckd: INFO: Monitoring >> >> >> >> >> >> > directory: >> >> >> >> >> >> > '/sbin'. >> >> >> >> >> >> > 2013/08/31 15:14:10 ossec-syscheckd: INFO: Starting >> >> >> >> >> >> > syscheck >> >> >> >> >> >> > scan >> >> >> >> >> >> > (forwarding database). >> >> >> >> >> >> > 2013/08/31 15:14:10 ossec-syscheckd: INFO: Starting >> >> >> >> >> >> > syscheck >> >> >> >> >> >> > database >> >> >> >> >> >> > (pre-scan). >> >> >> >> >> >> > 2013/08/31 15:14:25 ossec-logcollector(1904): INFO: File >> >> >> >> >> >> > not >> >> >> >> >> >> > available, >> >> >> >> >> >> > ignoring it: '/var/log/authlog'. >> >> >> >> >> >> > 2013/08/31 15:14:25 ossec-logcollector(1904): INFO: File >> >> >> >> >> >> > not >> >> >> >> >> >> > available, >> >> >> >> >> >> > ignoring it: '/var/log/xferlog'. >> >> >> >> >> >> > 2013/08/31 15:14:25 ossec-logcollector(1904): INFO: File >> >> >> >> >> >> > not >> >> >> >> >> >> > available, >> >> >> >> >> >> > ignoring it: '/var/www/logs/access_log'. >> >> >> >> >> >> > 2013/08/31 15:14:25 ossec-logcollector(1904): INFO: File >> >> >> >> >> >> > not >> >> >> >> >> >> > available, >> >> >> >> >> >> > ignoring it: '/var/www/logs/error_log'. >> >> >> >> >> >> > 2013/08/31 15:20:13 ossec-testrule: INFO: Reading local >> >> >> >> >> >> > decoder >> >> >> >> >> >> > file. >> >> >> >> >> >> > 2013/08/31 15:20:13 ossec-testrule: INFO: Started (pid: >> >> >> >> >> >> > 6010). >> >> >> >> >> >> > 2013/08/31 15:20:14 ossec-remoted: INFO: Started (pid: >> >> >> >> >> >> > 6064). >> >> >> >> >> >> > 2013/08/31 15:26:10 ossec-syscheckd: INFO: Finished >> >> >> >> >> >> > creating >> >> >> >> >> >> > syscheck >> >> >> >> >> >> > database (pre-scan completed). >> >> >> >> >> >> > 2013/08/31 15:26:24 ossec-syscheckd: INFO: Ending >> >> >> >> >> >> > syscheck >> >> >> >> >> >> > scan >> >> >> >> >> >> > (forwarding >> >> >> >> >> >> > database). >> >> >> >> >> >> > 2013/08/31 15:27:04 ossec-rootcheck: INFO: Starting >> >> >> >> >> >> > rootcheck >> >> >> >> >> >> > scan. >> >> >> >> >> >> > 2013/08/31 15:31:02 ossec-rootcheck: INFO: Ending >> >> >> >> >> >> > rootcheck >> >> >> >> >> >> > scan. >> >> >> >> >> >> > 2013/08/31 16:47:07 ossec-execd: INFO: Active response >> >> >> >> >> >> > command >> >> >> >> >> >> > not >> >> >> >> >> >> > present: >> >> >> >> >> >> > '/var/ossec/active-response/bin/restart-ossec.cmd'. Not >> >> >> >> >> >> > using >> >> >> >> >> >> > it >> >> >> >> >> >> > on >> >> >> >> >> >> > this >> >> >> >> >> >> > system. >> >> >> >> >> >> > 2013/09/01 00:00:30 ossec-monitord: No previous md5 >> >> >> >> >> >> > checksum >> >> >> >> >> >> > found: >> >> >> >> >> >> > '/logs/archives/2013/Aug/ossec-archive-30.log.sum'. >> >> >> >> >> >> > Starting >> >> >> >> >> >> > over. >> >> >> >> >> >> > 2013/09/01 00:00:30 ossec-monitord: No previous sha1 >> >> >> >> >> >> > checksum >> >> >> >> >> >> > found: >> >> >> >> >> >> > '/logs/archives/2013/Aug/ossec-archive-30.log.sum'. >> >> >> >> >> >> > Starting >> >> >> >> >> >> > over. >> >> >> >> >> >> > 2013/09/01 00:00:30 ossec-monitord: No previous md5 >> >> >> >> >> >> > checksum >> >> >> >> >> >> > found: >> >> >> >> >> >> > '/logs/alerts/2013/Aug/ossec-alerts-30.log.sum'. Starting >> >> >> >> >> >> > over. >> >> >> >> >> >> > 2013/09/01 00:00:30 ossec-monitord: No previous sha1 >> >> >> >> >> >> > checksum >> >> >> >> >> >> > found: >> >> >> >> >> >> > '/logs/alerts/2013/Aug/ossec-alerts-30.log.sum'. Starting >> >> >> >> >> >> > over. >> >> >> >> >> >> > 2013/09/01 00:00:30 ossec-monitord: No previous md5 >> >> >> >> >> >> > checksum >> >> >> >> >> >> > found: >> >> >> >> >> >> > '/logs/firewall/2013/Aug/ossec-firewall-30.log.sum'. >> >> >> >> >> >> > Starting >> >> >> >> >> >> > over. >> >> >> >> >> >> > 2013/09/01 00:00:30 ossec-monitord: No previous sha1 >> >> >> >> >> >> > checksum >> >> >> >> >> >> > found: >> >> >> >> >> >> > '/logs/firewall/2013/Aug/ossec-firewall-30.log.sum'. >> >> >> >> >> >> > Starting >> >> >> >> >> >> > over. >> >> >> >> >> >> > 2013/09/01 11:31:02 ossec-syscheckd: INFO: Starting >> >> >> >> >> >> > syscheck >> >> >> >> >> >> > scan. >> >> >> >> >> >> > 2013/09/01 11:43:25 ossec-syscheckd: INFO: Ending >> >> >> >> >> >> > syscheck >> >> >> >> >> >> > scan. >> >> >> >> >> >> > 2013/09/01 11:48:25 ossec-rootcheck: INFO: Starting >> >> >> >> >> >> > rootcheck >> >> >> >> >> >> > scan. >> >> >> >> >> >> > 2013/09/01 11:51:57 ossec-rootcheck: INFO: Ending >> >> >> >> >> >> > rootcheck >> >> >> >> >> >> > scan. >> >> >> >> >> >> > 2013/09/01 21:29:43 ossec-monitord(1225): INFO: SIGNAL >> >> >> >> >> >> > Received. >> >> >> >> >> >> > Exit >> >> >> >> >> >> > Cleaning... >> >> >> >> >> >> > 2013/09/01 21:29:43 ossec-logcollector(1225): INFO: >> >> >> >> >> >> > SIGNAL >> >> >> >> >> >> > Received. >> >> >> >> >> >> > Exit >> >> >> >> >> >> > Cleaning... >> >> >> >> >> >> > 2013/09/01 21:29:43 ossec-syscheckd(1225): INFO: SIGNAL >> >> >> >> >> >> > Received. >> >> >> >> >> >> > Exit >> >> >> >> >> >> > Cleaning... >> >> >> >> >> >> > 2013/09/01 21:29:43 ossec-analysisd(1225): INFO: SIGNAL >> >> >> >> >> >> > Received. >> >> >> >> >> >> > Exit >> >> >> >> >> >> > Cleaning... >> >> >> >> >> >> > 2013/09/01 21:29:43 ossec-execd(1314): INFO: Shutdown >> >> >> >> >> >> > received. >> >> >> >> >> >> > Deleting >> >> >> >> >> >> > responses. >> >> >> >> >> >> > 2013/09/01 21:29:43 ossec-execd(1225): INFO: SIGNAL >> >> >> >> >> >> > Received. >> >> >> >> >> >> > Exit >> >> >> >> >> >> > Cleaning... >> >> >> >> >> >> > 2013/09/01 21:32:07 ossec-testrule: INFO: Reading local >> >> >> >> >> >> > decoder >> >> >> >> >> >> > file. >> >> >> >> >> >> > 2013/09/01 21:32:07 ossec-testrule: INFO: Started (pid: >> >> >> >> >> >> > 1246). >> >> >> >> >> >> > 2013/09/01 21:32:08 DEBUG: I am creating the SQLite >> >> >> >> >> >> > table. >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-execd: INFO: Started (pid: >> >> >> >> >> >> > 1269). >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading local >> >> >> >> >> >> > decoder >> >> >> >> >> >> > file. >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'rules_config.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'pam_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'sshd_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'telnetd_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'syslog_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'arpwatch_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'symantec-av_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'symantec-ws_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'pix_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'named_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'smbd_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'vsftpd_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'pure-ftpd_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'proftpd_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'ms_ftpd_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'ftpd_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'hordeimp_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'roundcube_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'wordpress_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'cimserver_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'vpopmail_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'vmpop3d_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'courier_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'web_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'web_appsec_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'apache_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'nginx_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'php_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'mysql_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'postgresql_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'ids_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'squid_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'firewall_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'cisco-ios_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'netscreenfw_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'sonicwall_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'postfix_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'sendmail_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'imapd_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'mailscanner_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'dovecot_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'ms-exchange_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'racoon_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'vpn_concentrator_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'spamd_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'msauth_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'mcafee_av_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'trend-osce_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'ms-se_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'zeus_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'solaris_bsm_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'vmware_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'ms_dhcp_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'asterisk_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'ossec_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'attack_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules >> >> >> >> >> >> > file: >> >> >> >> >> >> > 'local_rules.xml' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Total rules >> >> >> >> >> >> > enabled: >> >> >> >> >> >> > '1229' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: >> >> >> >> >> >> > '/etc/mtab' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: >> >> >> >> >> >> > '/etc/hosts.deny' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: >> >> >> >> >> >> > '/etc/mail/statistics' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: >> >> >> >> >> >> > '/etc/random-seed' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: >> >> >> >> >> >> > '/etc/adjtime' >> >> >> >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: >> >> >> >> >> >> > '/etc/httpd/logs' >> >> >> >> >> >> > >> >> >> >> >> >> > >> >> >> >> >> >> > 2013/09/01 21:32:14 ossec-logcollector(1950): INFO: >> >> >> >> >> >> > Analyzing >> >> >> >> >> >> > file: >> >> >> >> >> >> > '/var/log/messages'. >> >> >> >> >> >> > 2013/09/01 21:32:14 ossec-logcollector(1103): ERROR: >> >> >> >> >> >> > Unable >> >> >> >> >> >> > to >> >> >> >> >> >> > open >> >> >> >> >> >> > file >> >> >> >> >> >> > '/var/log/authlog'. >> >> >> >> >> >> > 2013/09/01 21:32:14 ossec-logcollector(1950): INFO: >> >> >> >> >> >> > Analyzing >> >> >> >> >> >> > file: >> >> >> >> >> >> > '/var/log/authlog'. >> >> >> >> >> >> > 2013/09/01 21:32:14 ossec-logcollector(1950): INFO: >> >> >> >> >> >> > Analyzing >> >> >> >> >> >> > file: >> >> >> >> >> >> > '/var/log/secure'. >> >> >> >> >> >> > 2013/09/01 21:32:14 ossec-logcollector(1103): ERROR: >> >> >> >> >> >> > Unable >> >> >> >> >> >> > to >> >> >> >> >> >> > open >> >> >> >> >> >> > file >> >> >> >> >> >> > '/var/log/xferlog'. >> >> >> >> >> >> > 2013/09/01 21:32:14 ossec-logcollector(1950): INFO: >> >> >> >> >> >> > Analyzing >> >> >> >> >> >> > file: >> >> >> >> >> >> > '/var/log/xferlog'. >> >> >> >> >> >> > 2013/09/01 21:32:14 ossec-logcollector(1950): INFO: >> >> >> >> >> >> > Analyzing >> >> >> >> >> >> > file: >> >> >> >> >> >> > '/var/log/maillog'. >> >> >> >> >> >> > >> >> >> >> >> >> > 2013/09/01 21:32:14 ossec-analysisd(1210): ERROR: Queue >> >> >> >> >> >> > '/queue/alerts/ar' >> >> >> >> >> >> > not accessible: 'Connection refused'. >> >> >> >> >> >> > 2013/09/01 21:32:14 ossec-analysisd(1301): ERROR: Unable >> >> >> >> >> >> > to >> >> >> >> >> >> > connect >> >> >> >> >> >> > to >> >> >> >> >> >> > active response queue. >> >> >> >> >> >> > >> >> >> >> >> >> > 2013/09/06 03:18:42 ossec-rootcheck: INFO: Starting >> >> >> >> >> >> > rootcheck >> >> >> >> >> >> > scan. >> >> >> >> >> >> > 2013/09/06 03:22:50 ossec-rootcheck: INFO: Ending >> >> >> >> >> >> > rootcheck >> >> >> >> >> >> > scan. >> >> >> >> >> >> > 2013/09/06 16:33:13 ossec-testrule: INFO: Reading local >> >> >> >> >> >> > decoder >> >> >> >> >> >> > file. >> >> >> >> >> >> > 2013/09/06 16:33:13 ossec-testrule: INFO: Started (pid: >> >> >> >> >> >> > 10245). >> >> >> >> >> >> > 2013/09/06 16:33:31 ossec-testrule: INFO: Reading local >> >> >> >> >> >> > decoder >> >> >> >> >> >> > file. >> >> >> >> >> >> > 2013/09/06 16:33:31 ossec-testrule: INFO: Started (pid: >> >> >> >> >> >> > 10248). >> >> >> >> >> >> > 2013/09/06 16:34:01 ossec-testrule: INFO: Reading local >> >> >> >> >> >> > decoder >> >> >> >> >> >> > file. >> >> >> >> >> >> > 2013/09/06 16:34:01 ossec-testrule: INFO: Started (pid: >> >> >> >> >> >> > 10250). >> >> >> >> >> >> > 2013/09/06 23:17:50 ossec-syscheckd: INFO: Starting >> >> >> >> >> >> > syscheck >> >> >> >> >> >> > scan. >> >> >> >> >> >> > 2013/09/06 23:30:42 ossec-syscheckd: INFO: Ending >> >> >> >> >> >> > syscheck >> >> >> >> >> >> > scan. >> >> >> >> >> >> > 2013/09/06 23:35:42 ossec-rootcheck: INFO: Starting >> >> >> >> >> >> > rootcheck >> >> >> >> >> >> > scan. >> >> >> >> >> >> > 2013/09/06 23:39:49 ossec-rootcheck: INFO: Ending >> >> >> >> >> >> > rootcheck >> >> >> >> >> >> > scan. >> >> >> >> >> >> > 2013/09/07 19:34:49 ossec-syscheckd: INFO: Starting >> >> >> >> >> >> > syscheck >> >> >> >> >> >> > scan. >> >> >> >> >> >> > 2013/09/07 19:47:41 ossec-syscheckd: INFO: Ending >> >> >> >> >> >> > syscheck >> >> >> >> >> >> > scan. >> >> >> >> >> >> > 2013/09/07 19:52:41 ossec-rootcheck: INFO: Starting >> >> >> >> >> >> > rootcheck >> >> >> >> >> >> > scan. >> >> >> >> >> >> > 2013/09/07 19:56:47 ossec-rootcheck: INFO: Ending >> >> >> >> >> >> > rootcheck >> >> >> >> >> >> > scan. >> >> >> >> >> >> > >> >> >> >> >> >> > The rootcheck runs by itself is it automatically? >> >> >> >> >> >> > >> >> >> >> >> >> >> >> >> >> >> >> Looks like it. >> >> >> >> >> >> >> >> >> >> >> >> > >> >> >> >> >> >> > NExt I went into alerts.log. So will all this be alerted >> >> >> >> >> >> > via >> >> >> >> >> >> > email >> >> >> >> >> >> > or >> >> >> >> >> >> > only >> >> >> >> >> >> > some alerts? >> >> >> >> >> >> > >> >> >> >> >> >> >> >> >> >> >> >> Some alerts will trigger emails, some will not. You can >> >> >> >> >> >> customize >> >> >> >> >> >> a >> >> >> >> >> >> lot >> >> >> >> >> >> of >> >> >> >> >> >> that. >> >> >> >> >> >> >> >> >> >> >> >> > Saw this. >> >> >> >> >> >> > >> >> >> >> >> >> > ** Alert 1378572677.0: - >> >> >> >> >> >> > syslog,sshd,authentication_success, >> >> >> >> >> >> > 2013 Sep 08 00:51:17 capture->/var/log/secure >> >> >> >> >> >> > Rule: 5715 (level 3) -> 'SSHD authentication success.' >> >> >> >> >> >> > Src IP: 60.50.38.78 >> >> >> >> >> >> > User: root >> >> >> >> >> >> > Sep 8 00:51:17 capture sshd[11987]: Accepted password >> >> >> >> >> >> > for >> >> >> >> >> >> > root >> >> >> >> >> >> > from >> >> >> >> >> >> > **.**.**.78 port 3516 ssh2 >> >> >> >> >> >> > >> >> >> >> >> >> > ** Alert 1378572679.290: - >> >> >> >> >> >> > pam,syslog,authentication_success, >> >> >> >> >> >> > 2013 Sep 08 00:51:19 capture->/var/log/secure >> >> >> >> >> >> > Rule: 5501 (level 3) -> 'Login session opened.' >> >> >> >> >> >> > Sep 8 00:51:17 capture sshd[11987]: >> >> >> >> >> >> > pam_unix(sshd:session): >> >> >> >> >> >> > session >> >> >> >> >> >> > opened >> >> >> >> >> >> > for user root by (uid=0) >> >> >> >> >> >> > >> >> >> >> >> >> > ** Alert 1378572745.548: - >> >> >> >> >> >> > syslog,sshd,authentication_success, >> >> >> >> >> >> > 2013 Sep 08 00:52:25 capture->/var/log/secure >> >> >> >> >> >> > Rule: 5715 (level 3) -> 'SSHD authentication success.' >> >> >> >> >> >> > Src IP: 60.50.38.78 >> >> >> >> >> >> > User: root >> >> >> >> >> >> > Sep 8 00:52:24 capture sshd[11985]: Accepted password >> >> >> >> >> >> > for >> >> >> >> >> >> > root >> >> >> >> >> >> > from >> >> >> >> >> >> > **.**.**.78 port 3512 ssh2 >> >> >> >> >> >> > >> >> >> >> >> >> > ** Alert 1378572745.840: - >> >> >> >> >> >> > pam,syslog,authentication_success, >> >> >> >> >> >> > 2013 Sep 08 00:52:25 capture->/var/log/secure >> >> >> >> >> >> > Rule: 5501 (level 3) -> 'Login session opened.' >> >> >> >> >> >> > Sep 8 00:52:25 capture sshd[11985]: >> >> >> >> >> >> > pam_unix(sshd:session): >> >> >> >> >> >> > session >> >> >> >> >> >> > opened >> >> >> >> >> >> > for user root by (uid=0) >> >> >> >> >> >> > >> >> >> >> >> >> > >> >> >> >> >> >> > Another thing this process zcat /var/log/*.gz | >> >> >> >> >> >> > /var/ossec/bin/ossec-logtest >> >> >> >> >> >> > basically what are we going to look out from here? >> >> >> >> >> >> > >> >> >> >> >> >> >> >> >> >> >> >> That will provide some alerts. In fact, the "-a" flag to >> >> >> >> >> >> ossec-logtest >> >> >> >> >> >> should provide alerts very similar to what is in >> >> >> >> >> >> alerts.log. >> >> >> >> >> >> >> >> >> >> >> >> Other than that, this question is too broad for me to >> >> >> >> >> >> answer. >> >> >> >> >> >> >> >> >> >> >> >> > >> >> >> >> >> >> > >> >> >> >> >> >> > >> >> >> >> >> >> > >> >> >> >> >> >> > On Friday, September 6, 2013 11:14:40 PM UTC+8, dan >> >> >> >> >> >> > (ddpbsd) >> >> >> >> >> >> > wrote: >> >> >> >> >> >> >> >> >> >> >> >> >> >> On Fri, Sep 6, 2013 at 4:51 AM, frwa onto >> >> >> >> >> >> >> <[email protected]> >> >> >> >> >> >> >> wrote: >> >> >> >> >> >> >> > Dear Dan, >> >> >> >> >> >> >> > I know your option you gave is just for >> >> >> >> >> >> >> > single >> >> >> >> >> >> >> > file. >> >> >> >> >> >> >> > I >> >> >> >> >> >> >> > Want to >> >> >> >> >> >> >> > do the whole of /var/log how to go about with that >> >> >> >> >> >> >> > which >> >> >> >> >> >> >> > I >> >> >> >> >> >> >> > think >> >> >> >> >> >> >> > that >> >> >> >> >> >> >> > is >> >> >> >> >> >> >> > what ossec-logtest does right. >> >> >> >> >> >> >> > I know neither of this does now work.. >> >> >> >> >> >> >> > cat /var/log | /var/ossec/bin/ossec-logtest > >> >> >> >> >> >> >> > /usr/local/ossetest.txt >> >> >> >> >> >> >> > 2>&1 >> >> >> >> >> >> >> > cat: /var/log: Is a directory >> >> >> >> >> >> >> > [root@capture var]# zcat /var/log | >> >> >> >> >> >> >> > /var/ossec/bin/ossec-logtest >> >> >> >> >> >> >> > > >> >> >> >> >> >> >> > /usr/local/ossetest.txt 2>&1 >> >> >> >> >> >> >> > gzip: /var/log is a directory -- ignored >> >> >> >> >> >> >> > >> >> >> >> >> >> >> >> >> >> >> >> >> >> You're running this on a linux or unix-like system, use >> >> >> >> >> >> >> the >> >> >> >> >> >> >> tools >> >> >> >> >> >> >> available. >> >> >> >> >> >> >> zcat /var/log/*.gz | /var/ossec/bin/ossec-logtest >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> > How to confirm that syscheck is running. Normally >> >> >> >> >> >> >> > where >> >> >> >> >> >> >> > and >> >> >> >> >> >> >> > what >> >> >> >> >> >> >> > are >> >> >> >> >> >> >> > the >> >> >> >> >> >> >> > logfiles of ossec for us to to view or look?. Thank >> >> >> >> >> >> >> > you. >> >> >> >> >> >> >> > Sorry >> >> >> >> >> >> >> > very >> >> >> >> >> >> >> > new >> >> >> >> >> >> >> > to >> >> >> >> >> >> >> > this tool. >> >> >> >> >> >> >> > >> >> >> >> >> >> >> >> >> >> >> >> >> >> /var/ossec/logs/ossec.log contains information like when >> >> >> >> >> >> >> syscheck >> >> >> >> >> >> >> runs. >> >> >> >> >> >> >> /var/ossec/logs/alerts/alerts.log has alert information. >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> > On Thursday, September 5, 2013 9:25:13 PM UTC+8, dan >> >> >> >> >> >> >> > (ddpbsd) >> >> >> >> >> >> >> > wrote: >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> On Wed, Sep 4, 2013 at 1:54 PM, frwa onto >> >> >> >> >> >> >> >> <[email protected]> >> >> >> >> >> >> >> >> wrote: >> >> >> >> >> >> >> >> > Dear Dan, >> >> >> >> >> >> >> >> > For ossec-logtest I just ran like >> >> >> >> >> >> >> >> > this >> >> >> >> >> >> >> >> > ./ossec-logtest? >> >> >> >> >> >> >> >> > How >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> The easiest way is to pipe the log file through >> >> >> >> >> >> >> >> logtest: >> >> >> >> >> >> >> >> cat /path/to/logfile | /var/ossec/bin/ossec-logtest >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> Use zcat if the logfile is compressed. If you want to >> >> >> >> >> >> >> >> redirect >> >> >> >> >> >> >> >> the >> >> >> >> >> >> >> >> output to a file, use this: >> >> >> >> >> >> >> >> cat /path/to/logfile | /var/ossec/bin/ossec-logtest > >> >> >> >> >> >> >> >> /path/to/file >> >> >> >> >> >> >> >> 2>&1 >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> > about the syscheck how to run it? What will both of >> >> >> >> >> >> >> >> > this >> >> >> >> >> >> >> >> > script >> >> >> >> >> >> >> >> > eventually >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> By default, syscheck will run when OSSEC starts. >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> > be doing? Do I need to run the rootcheck ? >> >> >> >> >> >> >> >> > >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> Same as syscheck I believe. >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> > On Wednesday, September 4, 2013 9:38:07 PM UTC+8, >> >> >> >> >> >> >> >> > dan >> >> >> >> >> >> >> >> > (ddpbsd) >> >> >> >> >> >> >> >> > wrote: >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> On Tue, Sep 3, 2013 at 12:36 AM, frwa onto >> >> >> >> >> >> >> >> >> <[email protected]> >> >> >> >> >> >> >> >> >> wrote: >> >> >> >> >> >> >> >> >> > Hi All, >> >> >> >> >> >> >> >> >> > I just rebuild and install ossec on my >> >> >> >> >> >> >> >> >> > centos >> >> >> >> >> >> >> >> >> > 6.4 >> >> >> >> >> >> >> >> >> > machine. >> >> >> >> >> >> >> >> >> > So >> >> >> >> >> >> >> >> >> > what >> >> >> >> >> >> >> >> >> > is the next step be done as this is any existing >> >> >> >> >> >> >> >> >> > machine >> >> >> >> >> >> >> >> >> > and >> >> >> >> >> >> >> >> >> > I >> >> >> >> >> >> >> >> >> > want >> >> >> >> >> >> >> >> >> > to >> >> >> >> >> >> >> >> >> > check >> >> >> >> >> >> >> >> >> > for any previous intrusion? I also want to get >> >> >> >> >> >> >> >> >> > alerts >> >> >> >> >> >> >> >> >> > on >> >> >> >> >> >> >> >> >> > updates >> >> >> >> >> >> >> >> >> > on >> >> >> >> >> >> >> >> >> > my >> >> >> >> >> >> >> >> >> > local >> >> >> >> >> >> >> >> >> > files or any new files created? I am sorry very >> >> >> >> >> >> >> >> >> > new >> >> >> >> >> >> >> >> >> > to >> >> >> >> >> >> >> >> >> > it. >> >> >> >> >> >> >> >> >> > >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> You can use ossec-logtest to check old log files, >> >> >> >> >> >> >> >> >> and >> >> >> >> >> >> >> >> >> syscheck >> >> >> >> >> >> >> >> >> has a >> >> >> >> >> >> >> >> >> default configuration that can cover most needs. >> >> >> >> >> >> >> >> >> If >> >> >> >> >> >> >> >> >> you >> >> >> >> >> >> >> >> >> have >> >> >> >> >> >> >> >> >> custom >> >> >> >> >> >> >> >> >> locations that must be monitored, you should add >> >> >> >> >> >> >> >> >> them >> >> >> >> >> >> >> >> >> to >> >> >> >> >> >> >> >> >> the >> >> >> >> >> >> >> >> >> ossec.conf in the syscheck section. >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> > -- >> >> >> >> >> >> >> >> >> > >> >> >> >> >> >> >> >> >> > --- >> >> >> >> >> >> >> >> >> > You received this message because you are >> >> >> >> >> >> >> >> >> > subscribed >> >> >> >> >> >> >> >> >> > to >> >> >> >> >> >> >> >> >> > the >> >> >> >> >> >> >> >> >> > Google >> >> >> >> >> >> >> >> >> > Groups >> >> >> >> >> >> >> >> >> > "ossec-list" group. >> >> >> >> >> >> >> >> >> > To unsubscribe from this group and stop >> >> >> >> >> >> >> >> >> > receiving >> >> >> >> >> >> >> >> >> > emails >> >> >> >> >> >> >> >> >> > from >> >> >> >> >> >> >> >> >> > it, >> >> >> >> >> >> >> >> >> > send >> >> >> >> >> >> >> >> >> > an >> >> >> >> >> >> >> >> >> > email to [email protected]. >> >> >> >> >> >> >> >> >> > For more options, visit >> >> >> >> >> >> >> >> >> > https://groups.google.com/groups/opt_out. >> >> >> >> >> >> >> >> > >> >> >> >> >> >> >> >> > -- >> >> >> >> >> >> >> >> > >> >> >> >> >> >> >> >> > --- >> >> >> >> >> >> >> >> > You received this message because you are >> >> >> >> >> >> >> >> > subscribed >> >> >> >> >> >> >> >> > to >> >> >> >> >> >> >> >> > the >> >> >> >> >> >> >> >> > Google >> >> >> >> >> >> >> >> > Groups >> >> >> >> >> >> >> >> > "ossec-list" group. >> >> >> >> >> >> >> >> > To unsubscribe from this group and stop receiving >> >> >> >> >> >> >> >> > emails >> >> >> >> >> >> >> >> > from >> >> >> >> >> >> >> >> > it, >> >> >> >> >> >> >> >> > send >> >> >> >> >> >> >> >> > an >> >> >> >> >> >> >> >> > email to [email protected]. >> >> >> >> >> >> >> >> > For more options, visit >> >> >> >> >> >> >> >> > https://groups.google.com/groups/opt_out. >> >> >> >> >> >> >> > >> >> >> >> >> >> >> > -- >> >> >> >> >> >> >> > >> >> >> >> >> >> >> > --- >> >> >> >> >> >> >> > You received this message because you are subscribed >> >> >> >> >> >> >> > to >> >> >> >> >> >> >> > the >> >> >> >> >> >> >> > Google >> >> >> >> >> >> >> > Groups >> >> >> >> >> >> >> > "ossec-list" group. >> >> >> >> >> >> >> > To unsubscribe from this group and stop receiving >> >> >> >> >> >> >> > emails >> >> >> >> >> >> >> > from >> >> >> >> >> >> >> > it, >> >> >> >> >> >> >> > send >> >> >> >> >> >> >> > an >> >> >> >> >> >> >> > email to [email protected]. >> >> >> >> >> >> >> > For more options, visit >> >> >> >> >> >> >> > https://groups.google.com/groups/opt_out. >> >> >> >> >> >> > >> >> >> >> >> >> > -- >> >> >> >> >> >> > >> >> >> >> >> >> > --- >> >> >> >> >> >> > You received this message because you are subscribed to >> >> >> >> >> >> > the >> >> >> >> >> >> > Google >> >> >> >> >> >> > Groups >> >> >> >> >> >> > "ossec-list" group. >> >> >> >> >> >> > To unsubscribe from this group and stop receiving emails >> >> >> >> >> >> > from >> >> >> >> >> >> > it, >> >> >> >> >> >> > send >> >> >> >> >> >> > an >> >> >> >> >> >> > email to [email protected]. >> >> >> >> >> >> > For more options, visit >> >> >> >> >> >> > https://groups.google.com/groups/opt_out. >> >> >> >> >> > >> >> >> >> >> > -- >> >> >> >> >> > >> >> >> >> >> > --- >> >> >> >> >> > You received this message because you are subscribed to the >> >> >> >> >> > Google >> >> >> >> >> > Groups >> >> >> >> >> > "ossec-list" group. >> >> >> >> >> > To unsubscribe from this group and stop receiving emails >> >> >> >> >> > from >> >> >> >> >> > it, >> >> >> >> >> > send >> >> >> >> >> > an >> >> >> >> >> > email to [email protected]. >> >> >> >> >> > For more options, visit >> >> >> >> >> > https://groups.google.com/groups/opt_out. >> >> >> >> >> >> >> >> >> >> -- >> >> >> >> >> >> >> >> >> >> --- >> >> >> >> >> You received this message because you are subscribed to a >> >> >> >> >> topic >> >> >> >> >> in >> >> >> >> >> the >> >> >> >> >> Google Groups "ossec-list" group. >> >> >> >> >> To unsubscribe from this topic, visit >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> https://groups.google.com/d/topic/ossec-list/n0-gBzCdh3M/unsubscribe. >> >> >> >> >> To unsubscribe from this group and all its topics, send an >> >> >> >> >> email >> >> >> >> >> to >> >> >> >> >> [email protected]. >> >> >> >> >> >> >> >> >> >> For more options, visit >> >> >> >> >> https://groups.google.com/groups/opt_out. >> >> >> >> > >> >> >> >> > >> >> >> >> > -- >> >> >> >> > >> >> >> >> > --- >> >> >> >> > You received this message because you are subscribed to the >> >> >> >> > Google >> >> >> >> > Groups >> >> >> >> > "ossec-list" group. >> >> >> >> > To unsubscribe from this group and stop receiving emails from >> >> >> >> > it, >> >> >> >> > send >> >> >> >> > an >> >> >> >> > email to [email protected]. >> >> >> >> > For more options, visit >> >> >> >> > https://groups.google.com/groups/opt_out. >> >> >> >> >> >> >> >> -- >> >> >> >> >> >> >> >> --- >> >> >> >> You received this message because you are subscribed to a topic >> >> >> >> in >> >> >> >> the >> >> >> >> Google Groups "ossec-list" group. >> >> >> >> To unsubscribe from this topic, visit >> >> >> >> >> >> >> >> >> >> >> >> https://groups.google.com/d/topic/ossec-list/n0-gBzCdh3M/unsubscribe. >> >> >> >> To unsubscribe from this group and all its topics, send an email >> >> >> >> to >> >> >> >> [email protected]. >> >> >> >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> > >> >> >> > >> >> >> > -- >> >> >> > >> >> >> > --- >> >> >> > You received this message because you are subscribed to the Google >> >> >> > Groups >> >> >> > "ossec-list" group. >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> > send >> >> >> > an >> >> >> > email to [email protected]. >> >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> >> >> >> >> -- >> >> >> >> >> >> --- >> >> >> You received this message because you are subscribed to a topic in >> >> >> the >> >> >> Google Groups "ossec-list" group. >> >> >> To unsubscribe from this topic, visit >> >> >> >> >> >> https://groups.google.com/d/topic/ossec-list/n0-gBzCdh3M/unsubscribe. >> >> >> To unsubscribe from this group and all its topics, send an email to >> >> >> [email protected]. >> >> >> For more options, visit https://groups.google.com/groups/opt_out. >> >> > >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to a topic in the >> >> Google Groups "ossec-list" group. >> >> To unsubscribe from this topic, visit >> >> https://groups.google.com/d/topic/ossec-list/n0-gBzCdh3M/unsubscribe. >> >> To unsubscribe from this group and all its topics, send an email to >> >> [email protected]. >> >> For more options, visit https://groups.google.com/groups/opt_out. >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/n0-gBzCdh3M/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
