[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] PIX logs ....
I'm attempting to get alerts sent to
me from an internal syslog server , running ossec.
A pix debug file is at /var/log/PIX
I've setup a localfile of /var/log/PIX
and when ossec starts it says it's monitoring the local file (/var/log/PIX)
, and the pix_rules.xml file is loaded , however whenever any of the alerts
occur ( I know they do because they show up in the /var/log/PIX file) ,
I receive no email alert from ossec whatsoever.
( Yes - I do receive e-mail alerts from
other processes / error conditions - like sshd success authentication etc.)
The only thing I can think of is the
log_format may be incorrect ? If it's not syslog, what would be the appropriate
entry ?
Any ideas ?
Below is my ossec.conf ....
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>cvanderkolff@xxxxxxxxxx</email_to>
<smtp_server>10.9.8.7</smtp_server>
<email_from>ossecm@xxxxxxxxxx</email_from>
</global>
<rules>
<include>rules_config.xml</include>
<include>pam_rules.xml</include>
<include>sshd_rules.xml</include>
<include>telnetd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>pix_rules.xml</include>
<include>named_rules.xml</include>
<include>smbd_rules.xml</include>
<include>vsftpd_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<include>hordeimp_rules.xml</include>
<include>web_rules.xml</include>
<include>apache_rules.xml</include>
<include>ids_rules.xml</include>
<include>squid_rules.xml</include>
<include>firewall_rules.xml</include>
<include>netscreenfw_rules.xml</include>
<include>postfix_rules.xml</include>
<include>sendmail_rules.xml</include>
<include>imapd_rules.xml</include>
<include>spamd_rules.xml</include>
<include>msauth_rules.xml</include>
<!-- <include>policy_rules.xml</include>
-->
<include>attack_rules.xml</include>
</rules>
<syscheck>
<!-- Frequency that
syscheck is executed - default every 2 hours -->
<frequency>7200</frequency>
<!-- Directories to
check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<!-- Files/directories
to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<!-- Windows files
to ignore -->
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
<ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
<ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
<ignore>C:\WINDOWS/Prefetch</ignore>
<ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution/DataStore</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution/ReportingEvents.log</ignore>
<ignore>C:\WINDOWS/Temp</ignore>
<ignore>C:\WINDOWS/system32/config/systemprofile/Local
Settings</ignore>
<ignore>C:\WINDOWS/system32/config</ignore>
</syscheck>
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
</rootcheck>
<active-response>
<disabled>yes</disabled>
</active-response>
<remote>
<connection>secure</connection>
</remote>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>3</email_alert_level>
</alerts>
<!-- Files to monitor (localfiles)
-->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/maillog</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/httpd/error_log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/httpd/access_log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/etc/httpd/logs/access_log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/etc/httpd/logs/error_log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/PIX</location>
</localfile>
</ossec_config>
Chris Vanderkolff
EDULINX Canada Corporation
2 Robert Speck Parkway
Mississauga, ON
L4Z 1H8
(905) 306-2547
Cell (416) 818-4082
========================
"This email message is intended only for the addressee(s) and contains
information that may be confidential and/or copyright. If you are not
the intended recipient please notify the sender by reply email and
immediately delete this email. Use, disclosure or reproduction of this
email by anyone other than the intended recipient(s) is strictly
prohibited. No representation is made that this email or any
attachments are free of viruses. Virus scanning is
recommended and is the responsibility of the recipient".
Ce courriel n’est destiné qu’au destinataire et contient des
renseignements qui peuvent être confidentiels et/ou protégés par le
droit d’auteur. Si vous n’êtes pas le destinataire visé, veuillez en
avertir l’expéditeur par réponse au courriel et l’effacer ce courriel
immédiatement. L’utilisation, la divulgation ou la reproduction de ce
courriel par toute personne autre que le destinataire sont strictement
interdites. L’expéditeur ne prétend aucunement que les annexes sont
exemptes de virus. Une détection de virus est recommandée et le
destinataire en a la responsabilité.
..
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.