[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: apache decoder

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: apache decoder
From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
Date: Sun, 2 Jul 2006 20:40:01 -0300

Hi Meir,

First, very nice report script. I played with it a little and really liked the
reports. Btw, Is it released under the GPL, so more people can modify
and play with it?
Now, to your issues.

1- Sorry for losing your work. I will fix the install script to do a backup
of the currently rules before updating them. From now on, create a
file "local_rules.xml" with your rules so that they will never be overwritten.

2- Can you provide a few log samples of your apache logs, so we can add
this format to the official released (or the changes you made to the decoder
file)?

3- I think I understood your problem. On your machines, you have both
syslog and ossec sending the logs to your remote syslog server, right?
However, you want to save some bandwidht by sending it only once...
You have two options:

-Send only using syslog and setup ossec on the server to read the
localfiles. Doing this way, you lose encryption and compression from
ossec, but you still have both logs (ossec format on /var/ossec/logs/
and syslog format on /var/log).

-Send only using ossec. You gain more security of your logs (plus integrity
checking and rk detection), but you will need to install the ossec agent on
all your systems. The problem here is that you will not have your logs
on /var/log from the remote systems anymore. You can still have all
remote logs stored, but they will be under /var/ossec/logs/archives/.

Thanks.

--
Daniel B. Cid
dcid ( at ) ossec.net



On 7/2/06, Meir Michanie <meirgotroot@xxxxxxxxx> wrote:
> Hi list,
> I am using ossec 0.8-3
> I just upgraded from 0.8
> 1. I edited the rules files and during the upgrade ( I recall I was asked if
> I wanted to update the rules). the whole files where changed instead of
> particular rules. I added my own rules that now are lost. ( No big deal
> now).
> I would consider a way to have user-defined rules files that wont be
> modified during an upgrade.
> 2. The apache decoder matches local apache files. In a setup I am testing I
> do have the apache log straight to syslog, therefore the lines starts with
> http[<pid-number>]: [error] ....
> I changed the decoder.xml to match, but I will be in troubles on my next
> upgrade. RFC are welcome.
> 3. Picture this scenario:
>  a) I do not want to use IO and Disk space to log syslog locally in each
> server.
>  b) I have setup a central syslog that collects all syslogs from the remote
> machines.
>  c) I want to have the syslog logs and also the ossec logs.
>  d) I want to save syslog bandwith ( I red that ossec can save 70% traffic)
> How should I set it up so I do  not send the alert twice (once to syslog and
> once to ossec)?
> Do I need to install ossec on each server even when there are no localsyslog
> files?
> 4. I wrote a little script that gives me a summary report for all the
> events.
>
>
>
>
>  >
>
>

--~--~---------~--~----~------------~-------~--~----~
-~----------~----~----~----~------~----~------~--~---

Follow-Ups:
- [ossec-list] Re: apache decoder
  - From: Meir Michanie

References:
- [ossec-list] apache decoder
  - From: Meir Michanie

Prev by Date: [ossec-list] Re: adding user-defined filters
Next by Date: [ossec-list] Re: apache decoder
Previous by thread: [ossec-list] apache decoder
Next by thread: [ossec-list] Re: apache decoder
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.