[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] apache decoder

To: ossec-list@xxxxxxxxx
Subject: [ossec-list] apache decoder
From: "Meir Michanie" <meirgotroot@xxxxxxxxx>
Date: Sun, 2 Jul 2006 16:11:39 +0300

Hi list,
I am using ossec 0.8-3
I just upgraded from 0.8
1. I edited the rules files and during the upgrade ( I recall I was asked if I wanted to update the rules). the whole files where changed instead of particular rules. I added my own rules that now are lost. ( No big deal now).
I would consider a way to have user-defined rules files that wont be modified during an upgrade.
2. The apache decoder matches local apache files. In a setup I am testing I do have the apache log straight to syslog, therefore the lines starts with http[<pid-number>]: [error] ....
I changed the decoder.xml to match, but I will be in troubles on my next upgrade. RFC are welcome.
3. Picture this scenario:
a) I do not want to use IO and Disk space to log syslog locally in each server.
b) I have setup a central syslog that collects all syslogs from the remote machines.
c) I want to have the syslog logs and also the ossec logs.
d) I want to save syslog bandwith ( I red that ossec can save 70% traffic)
How should I set it up so I do not send the alert twice (once to syslog and once to ossec)?
Do I need to install ossec on each server even when there are no localsyslog files?
4. I wrote a little script that gives me a summary report for all the events.

--~--~---------~--~----~------------~-------~--~----~
-~----------~----~----~----~------~----~------~--~---

Attachment: ossec_report.pl
Description: Perl program

Follow-Ups:
- [ossec-list] Re: apache decoder
  - From: Daniel Cid

Next by Date: [ossec-list] adding user-defined filters
Next by thread: [ossec-list] Re: apache decoder
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.