Re: [ossec-list] Missing ossec-hids in logrotate.d
Cool! Thanks again for the feedback. :) Scott On Thu, Jun 18, 2020, 09:03 dan (ddp) wrote: > On Wed, Jun 17, 2020 at 5:06 PM Scott Wozny wrote: > > > > OK, so after a little more digging, I see now why there is no logrotate > script that comes with the build from source since the files in > /var/ossec/logs/alerts, archives and firewall are managed and compressed by > ossec, itself. :) > > > > This leaves me with a couple questions, though. > > 1) Is the size of ossec.log managed in the same way or should I have a > plan for handling that file as it grows (logrotate or whatever)? I didn't > see a date based storage structure like with the other 3 log subdirectories > (and the ossec.log has more than a day's worth of data, unlike the other > 3), but I wanted to confirm. > > OSSEC does not manage the ossec.log file. > > > 2) Can / should I be monitoring /var/ossec/logs/ossec.log? My only > concern is creating some sort of infinite loop situation where I create a > line in the file that causes an alert that causes another line to be > created in the file that causes another alert etc... until the disk fills > up. > > I think that's why it isn't monitored by default. I'd be wary of > monitoring it with itself. Not to say it can't be done, but you'd have > to be careful. > > > 3) This is a little off-topic, but what is the purpose of firewall.log? > I can't seem to find any reference in the documentation. > > > > I don't know. I think the idea was that firewalls log a lot of stuff > all the time, and you don't necessarily want them clogging up the > usual log files. But that's just a guess. > > > Thanks, > > > > Scott > > > > On Wed, Jun 17, 2020 at 1:37 PM Scott Wozny wrote: > >> > >> Thanks for the reply, Dan. I'll probably roll my own logrotate script > and use the one from the Atomic repo 3.3.0 install as a base. And yes, > ossec.log was empty because I hadn't started the agent yet. I had assumed > a different purpose for that file, but now that I'm running a few agents > reporting to a server it all makes more sense now. :) > >> > >> Scott > >> > >> On Wed, Jun 17, 2020 at 8:26 AM dan (ddp) wrote: > >>> > >>> On Mon, Jun 15, 2020 at 3:09 PM Scott Wozny wrote: > >>> > > >>> > I'm trying to get off the Atomic repo for a variety of reasons, so I > just did a 3.6.0 agent install from the tarball's script on a CentOS 7 > minimal machine to test the process and compatibility with my build > tweaks. One of the issues I had with the Atomic repo 3.3.0 package install > was /var/ossec/logs was of SELinux fcontext var_t rather than var_log_t > which made those files inaccessible on an enforcing machine to > logrotate_t. An easy fix, but I never got around to doing it. Now I see > there is no ossec-hids script in /etc/logrotate.d. Is this intentional (as > in, I need to roll my own) or could something have gone wrong during the > install? I didn't see anything in /var/log/messages or journalctl and > /var/ossec/logs/ossec.log (the only file in that directory) is empty. Is > there anywhere that install results are logged or am I just expected to go > through the output after ./install.sh? > >>> > > >>> > Any assistance or suggestions would be appreciated. > >>> > > >>> > >>> We don't include a log rotate script. > >>> We don't log anything in the install.sh (I usually tee it to a file > >>> when I'm curious). > >>> If ossec.log is empty, ossec probably isn't running. Or maybe an > selinux issue? > >>> > >>> > Thanks, > >>> > > >>> > Scott > >>> > > >>> > -- > >>> > > >>> > --- > >>> > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > >>> > To unsubscribe from this group and stop receiving emails from it, > send an email to ossec-list+unsubscr...@googlegroups.com. > >>> > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/63ff1d8d-3877-48b4-b3c1-d558b4427219o%40googlegroups.com > . > >>> > >>> -- > >>> > >>> --- > >>> You received this message because you are subscribed to the Google > Groups "ossec-list" group. > >>> To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+unsubscr...@googlegroups.com. > >>> To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/CAMyQvMq0y6SB1EHeNaT7hZxh%2BvYaGXnrZRnn6VEQgvXo7vF93A%40mail.gmail.com > . > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+unsubscr...@googlegroups.com. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/CACUKT_rS8KZL_GHTBQCSARCa%3D-tQ4f4XtTkZxoSzfcV4sXZwbQ%40mail.gmail.com > . > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to
Re: [ossec-list] Missing ossec-hids in logrotate.d
On Wed, Jun 17, 2020 at 5:06 PM Scott Wozny wrote: > > OK, so after a little more digging, I see now why there is no logrotate > script that comes with the build from source since the files in > /var/ossec/logs/alerts, archives and firewall are managed and compressed by > ossec, itself. :) > > This leaves me with a couple questions, though. > 1) Is the size of ossec.log managed in the same way or should I have a plan > for handling that file as it grows (logrotate or whatever)? I didn't see a > date based storage structure like with the other 3 log subdirectories (and > the ossec.log has more than a day's worth of data, unlike the other 3), but I > wanted to confirm. OSSEC does not manage the ossec.log file. > 2) Can / should I be monitoring /var/ossec/logs/ossec.log? My only concern > is creating some sort of infinite loop situation where I create a line in the > file that causes an alert that causes another line to be created in the file > that causes another alert etc... until the disk fills up. I think that's why it isn't monitored by default. I'd be wary of monitoring it with itself. Not to say it can't be done, but you'd have to be careful. > 3) This is a little off-topic, but what is the purpose of firewall.log? I > can't seem to find any reference in the documentation. > I don't know. I think the idea was that firewalls log a lot of stuff all the time, and you don't necessarily want them clogging up the usual log files. But that's just a guess. > Thanks, > > Scott > > On Wed, Jun 17, 2020 at 1:37 PM Scott Wozny wrote: >> >> Thanks for the reply, Dan. I'll probably roll my own logrotate script and >> use the one from the Atomic repo 3.3.0 install as a base. And yes, >> ossec.log was empty because I hadn't started the agent yet. I had assumed a >> different purpose for that file, but now that I'm running a few agents >> reporting to a server it all makes more sense now. :) >> >> Scott >> >> On Wed, Jun 17, 2020 at 8:26 AM dan (ddp) wrote: >>> >>> On Mon, Jun 15, 2020 at 3:09 PM Scott Wozny wrote: >>> > >>> > I'm trying to get off the Atomic repo for a variety of reasons, so I just >>> > did a 3.6.0 agent install from the tarball's script on a CentOS 7 minimal >>> > machine to test the process and compatibility with my build tweaks. One >>> > of the issues I had with the Atomic repo 3.3.0 package install was >>> > /var/ossec/logs was of SELinux fcontext var_t rather than var_log_t which >>> > made those files inaccessible on an enforcing machine to logrotate_t. An >>> > easy fix, but I never got around to doing it. Now I see there is no >>> > ossec-hids script in /etc/logrotate.d. Is this intentional (as in, I >>> > need to roll my own) or could something have gone wrong during the >>> > install? I didn't see anything in /var/log/messages or journalctl and >>> > /var/ossec/logs/ossec.log (the only file in that directory) is empty. Is >>> > there anywhere that install results are logged or am I just expected to >>> > go through the output after ./install.sh? >>> > >>> > Any assistance or suggestions would be appreciated. >>> > >>> >>> We don't include a log rotate script. >>> We don't log anything in the install.sh (I usually tee it to a file >>> when I'm curious). >>> If ossec.log is empty, ossec probably isn't running. Or maybe an selinux >>> issue? >>> >>> > Thanks, >>> > >>> > Scott >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send an >>> > email to ossec-list+unsubscr...@googlegroups.com. >>> > To view this discussion on the web visit >>> > https://groups.google.com/d/msgid/ossec-list/63ff1d8d-3877-48b4-b3c1-d558b4427219o%40googlegroups.com. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to ossec-list+unsubscr...@googlegroups.com. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ossec-list/CAMyQvMq0y6SB1EHeNaT7hZxh%2BvYaGXnrZRnn6VEQgvXo7vF93A%40mail.gmail.com. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/CACUKT_rS8KZL_GHTBQCSARCa%3D-tQ4f4XtTkZxoSzfcV4sXZwbQ%40mail.gmail.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit
Re: [ossec-list] Windows 2012 logs missing
I will keep trying maybe i can find the solution for it and thank you for your time On Wednesday, June 17, 2020 at 8:03:11 AM UTC-7, dan (ddpbsd) wrote: > > On Wed, Jun 17, 2020 at 9:26 AM Rashad Mogsi > wrote: > > > > first thx for the replay > > and i did install the ossec-hids -agent and its active on the ossem > server. > > so i cant receive any logs in the OSSEM WEB. > > so i want to know how to change refresh rate of reciving logs from the > server to WEB interface GUI. > > > > You can check the /var/ossec/logs/alerts.log file on the OSSEC server > to see if the agent is triggering alerts. > If you turn on the logall option on the OSSEC server, you can check > /var/ossec/logs/archives/archives.log to make sure the agent is > sending logs to the OSSEC server. > I don't know enough about OSSEM to help with that though. > > > > > Thank you again for your attention . > > > > On Wednesday, June 17, 2020 at 6:19:29 AM UTC-7, dan (ddpbsd) wrote: > >> > >> On Wed, Jun 17, 2020 at 9:15 AM Rashad Mogsi > wrote: > >> > > >> > i have installed OSSEM Server on Esxi and i can't receve any logs > form the Windows server . > >> > is there any configurations should i do from the OSSEM or from the > windows so i can see the logs > >> > > >> > >> OSSEM or OSSEC? I can't help you with OSSEM. > >> If you're using OSSEC, did you install the agent software on the > Windows host? > >> Did you add the agent to the OSSEC server? > >> > >> > any one can answer? > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send an email to ossec...@googlegroups.com. > >> > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/a83de371-51aa-4cb8-9422-9c253698cf0bo%40googlegroups.com. > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec...@googlegroups.com . > > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/4e30c221-728d-4743-a2ab-914de0bb27e6o%40googlegroups.com. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/ccf3f0a4-7042-46ab-abe7-235761fafae5o%40googlegroups.com.