[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: implementation question

To: ossec-list@xxxxxxxxx
Subject: [ossec-list] Re: implementation question
From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
Date: Fri, 9 Jun 2006 23:34:19 -0300

Hi Leslie,

Thanks for the suggestions. I just sent an e-mail on some other thread about
some changes I made to add the hostname in the alerts. It should be
available here:

http://www.ossec.net/files/ossec-hids-0.8-3.tar.gz

Regarding your second question, if you can install the ossec-agent in
a specific system, you don't need to forward the logs using syslog.
Ossec is going to do that already (with encryption and on the next
version with compression*). If you still want to use syslog only,
you can configure ossec-remoted to receive syslog messages directly
without the need to use syslogd.

*on my tests with compression, the amount of data on the network
went down by more than 70% then using plain syslog (or ossec
without encryption). Just wait a little bit more until it is stable
to release :)

Hope I was able to help.

Thanks,

--
Daniel B. Cid
dcid @ ( at ) ossec.net


On 6/9/06, Leslie S Arvin <arvin@xxxxxxxxxx> wrote:
>
> I have an implementation and configuration question.
>
> I have just started working on rolling out ossec-hids for our department.
> We have a RedHat machine used for tripwire monitoring which we will probably
> also use as our ossec server.  This machine currently receives syslogs from
> most of our other servers.  The way ossec currently sends email alerts, the
> name of the machine originating the syslog message is not included in the
> ossec email, so I have to go look at the appropriate logfile on the ossec
> server to learn which machine actually has the reported problem.
>
> E.g., log alert:
>
> ** Alert 1149834096.2655: mail
> 2006 Jun 09 02:21:36 /var/log/messages
> Rule: 102 (level 7) -> 'Unknown problem somewhere in the system.'
> Src IP: (none)
> User: (none)
> root: [ID 702911 user.error] Fri Jun 09 02:21:35 EDT 2006(ERROR) => Thread[Thread-20,5,main] <=Problem installing patches: NOTICE: At least one patch type property is forbidden by the installation policy or
> other conditions were detected that prevented the patch from being installed.: 113451-11
>
> Actual alert in /var/log/messages:
>
> Jun  5 02:21:10 ecourses-dev-1 root: [ID 702911 user.error] Mon Jun 05 02:21:10 EDT 2006(ERROR) => Thread[Thread-20,5,main] <=Problem installing patches: NOTICE: At least one patch type property is forbidden by
> the installation policy or other conditions were detected that prevented the patch from being installed.: 113451-11
>
> Obviously, we may need to rethink how we handle our logs, because if we install
> the ossec agent on our servers AND forward the syslogs to the ossec server, we
> can expect to receive duplicate alerts for the same issue.
>
> What is the recommended way to implement ossec in such a case?  Is this what
> remoted is for?  Is ossec compatible with forwarding syslogs?
>
> -- Leslie Arvin
>     arvin@xxxxxxxxxx, Office: FREH G409, Phone: 765-496-3971
>     Network Systems Administrator, ITI-Unix Platforms
>     Purdue University, Information Technology at Purdue
>
> >
>

--~--~---------~--~----~------------~-------~--~----~
-~----------~----~----~----~------~----~------~--~---

References:
- [ossec-list] implementation question
  - From: Leslie S Arvin

Prev by Date: [ossec-list] Re: New to OSSEC HIDS
Next by Date: [ossec-list] Re: I don't seem to be getting emails about changed binaries
Previous by thread: [ossec-list] implementation question
Next by thread: [ossec-list] feature request: whitelist
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.