[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] implementation question

To: ossec-list@xxxxxxxxx, ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] implementation question
From: Leslie S Arvin <arvin@xxxxxxxxxx>
Date: Fri, 09 Jun 2006 13:01:38 -0400

I have an implementation and configuration question.

I have just started working on rolling out ossec-hids for our department.
We have a RedHat machine used for tripwire monitoring which we will probably
also use as our ossec server.  This machine currently receives syslogs from
most of our other servers.  The way ossec currently sends email alerts, the
name of the machine originating the syslog message is not included in the
ossec email, so I have to go look at the appropriate logfile on the ossec
server to learn which machine actually has the reported problem.

E.g., log alert:

** Alert 1149834096.2655: mail
2006 Jun 09 02:21:36 /var/log/messages
Rule: 102 (level 7) -> 'Unknown problem somewhere in the system.'
Src IP: (none)
User: (none)
root: [ID 702911 user.error] Fri Jun 09 02:21:35 EDT 2006(ERROR) => Thread[Thread-20,5,main] <=Problem installing patches: NOTICE: At least one patch type property is forbidden by the installation policy or 
other conditions were detected that prevented the patch from being installed.: 113451-11

Actual alert in /var/log/messages:

Jun  5 02:21:10 ecourses-dev-1 root: [ID 702911 user.error] Mon Jun 05 02:21:10 EDT 2006(ERROR) => Thread[Thread-20,5,main] <=Problem installing patches: NOTICE: At least one patch type property is forbidden by 
the installation policy or other conditions were detected that prevented the patch from being installed.: 113451-11

Obviously, we may need to rethink how we handle our logs, because if we install
the ossec agent on our servers AND forward the syslogs to the ossec server, we
can expect to receive duplicate alerts for the same issue.

What is the recommended way to implement ossec in such a case?  Is this what
remoted is for?  Is ossec compatible with forwarding syslogs?

-- Leslie Arvin
    arvin@xxxxxxxxxx, Office: FREH G409, Phone: 765-496-3971
    Network Systems Administrator, ITI-Unix Platforms
    Purdue University, Information Technology at Purdue

--~--~---------~--~----~------------~-------~--~----~
-~----------~----~----~----~------~----~------~--~---

Follow-Ups:
- [ossec-list] Re: implementation question
  - From: Daniel Cid

Prev by Date: [ossec-list] New to OSSEC HIDS
Next by Date: [ossec-list] Re: New to OSSEC HIDS
Previous by thread: [ossec-list] Re: New to OSSEC HIDS
Next by thread: [ossec-list] Re: implementation question
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.