Seriously? OSSEC is FAR from a replacement for centralized syslog server, and to think it is folly IMO. Can OSSEC guarantee it will receive all incoming logs? Can OSSEC store those logs in multiple format, text, sql database? How does OSSEC handle the archival of said logs? I could go on and on.
Syslog can be used to centralize your httpd logs by adding 2 lines for your apache config. I push this to 100+ apache web servers and my syslog server happily takes them all, archives them in a structure of $year/$month/$day/$facility/$facility.log, and stuff them into a SQL database simultaneously without loosing a message, regardless of how much it's receiving. /etc/apache2/conf.d/syslog.conf ErrorLog syslog:local6 CustomLog "|/bin/logger -t httpd2-prefork -i -p local7.info" vhost_combined -- Later, Darin On Wed, Jun 18, 2014 at 10:22 AM, Janelle <janellenicol...@gmail.com> wrote: > I think people forget that when you put OSSEC on a server, it really does > not make sense to run a syslog-type daemon sending data to a central log > host at the same time OSSEC is doing it. Wastes bandwidth and since OSSEC > can actually deliver more than just standard "syslogs" - it is much more > useful. For example, syslog is not typically going to centralize your HTTPD > logging and OSSEC can. It makes sense to add a little more flexibility in > the output of the logall feature.. > > > > On Wednesday, June 18, 2014 5:06:31 AM UTC-7, James M. Pulver wrote: >> >> Maybe I’m crazy, but I think OSSEC is like a log daemon +… >> >> It’s cross platform, it includes encryption, it has built in filtering and >> can do active response. Why would it make sense to duplicate log shipping if >> you need it to do the security stuff? I.e. OSSEC ought to be a good log >> aggregator to serve it’s primary security goal IMO. >> >> >> >> -- >> >> James Pulver >> >> CLASSE Computer Group >> >> Cornell University >> >> >> >> From: ossec...@googlegroups.com [mailto:ossec...@googlegroups.com] On >> Behalf Of Jeremy Rossi >> Sent: Wednesday, June 18, 2014 7:50 AM >> To: ossec...@googlegroups.com >> Subject: Re: [ossec-list] logging all, but not commands? >> >> >> >> We would Very much welcome it. Some suggestions, but nothing more for the >> branch :). >> >> >> >> Agent -> master: >> >> >> >> json and use first char of { to pick new code path for processing the >> messages. This will allow master to work with legacy agents and new agents >> cleanly. >> >> >> >> Master->agent: >> >> >> >> This is harder but something I am working now as part of the work on >> actice response. Reasons it is harder is that unless we change the method if >> encryption/communication at the same time we have no concept of agent >> version so no idea what formats of messages are acceptable. I still don't >> know the best method for dealing with this and love ideas. >> >> >> >> Logall: >> >> >> >> Side note this log all feature comes up all the time and is confusing I >> think and maybe something we should solve better. But I am worried about >> turning ossec from security to a log daemon as other tools have solved that >> problem. >> >> >> >> >> >> >> >> >> >> >> On Jun 18, 2014, at 12:30 AM, "Janelle" <janelle...@gmail.com> wrote: >> >> I guess I need to start a new brach and work on a way to do this :-) >> >> On Tuesday, June 17, 2014 2:57:34 PM UTC-7, Michael Starks wrote: >> >> On 2014-06-17 16:31, Janelle wrote: >> > Trying to send "archives" to a syslog server for archival, and it >> > can't handle all the extraneous code. >> >> Ah, yes. I have done this as well and had this problem with keepalives >> and such. Another issue is that the ossec log format isn't syslog. It >> looks like syslog but it's not. Then there's this: >> >> Agentless: >> yyyy mmm dd hh:mm:ss (script_name) username->agentless ossec: agentless: >> Change detected >> >> Command output: >> yyyy mmm dd hh:mm:ss agentname->command >> >> Syscheck: >> yyyy mmm dd hh:mm:ss (agent_name) agent_ip->syscheck >> >> Windows: >> yyyy mmm dd hh:mm:ss (agent_name) agent_ip->log_name log_name_again >> >> Agent IP could be the IP or it could be "any." >> >> What I wish was that: >> >> 1. This was syslog formatted (or something else nice like JSON) >> 2. In the syslog header, the hostname could be either the agent name or >> the actual hostname >> 3. Newlines were removed or otherwise handled gracefully >> >> And/or that raw logs could be sent over to a syslog server like alerts >> are now, in addition to being analyzed. You could even strip off the >> ossec header at that point and the syslog server wouldn't know the >> difference. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
