|
I am using syslog-ng in a mixed environment
(Linux/Unix/Win). Windows events are forwarded to the syslog-ng server
via an eventlog-to-syslog utility. Events are stored in a mysql db and
retrieved using php-syslog-ng. I needed some way to analyze the logs
automatically and thought ossec might be a nice fit. I’ve got ossec
as a “local” installation on the syslog-ng server and began doing
some testing. In order to have ossec analyze the incoming events, I
configured syslog-ng to dump all events to a file (in addition to the db) and
then pointed ossec at the file. However, since both M$ and unix syslog
messages are mixed together, and the <log_format> is specified as “syslog”,
“windows” events keep triggering with: Rule: 102 fired (level 7) -> "Unknown problem
somewhere in the system." (ie: There’s some string in the M$
eventlog like failure, error, etc). I’m a little confused about how the rules work.
I read in another post that they behave like firewall rules. I assume they
get processed in order of “rule_id” and stop at the first match. So, then I tried writing the unix messages to one file and
windows messages to another. However, when I specify the
<log_format> for the windows messages as “eventlog”, I
receive this error when starting up ossec: Starting OSSEC HIDS v0.9 (by Daniel B. Cid)... 2006/08/08 09:07:00 ossec-logcollector(1903): Invalid event
log: '/var/log/syslog-ng/winevents.all'. 2006/08/08 09:07:00 ossec-logcollector(1202): Configuration
problem. Exiting. 2006/08/08 09:07:00 ossec-logcollector(1202): Configuration
problem. Exiting. ossec-logcollector: Configuration error. Exiting Since the MS eventlog messages are being written in a syslog
format, do I need to customize the rules to process them correctly? Am I missing something obvious here? Thanks for your help… - Rich |