From OSSEC Wiki
Supported log formats
Ossec supports the following log formats (rules id grouping):
- Unix-only:
- Unix Pam
- sshd (OpenSSH)
- Solaris telnetd
- Samba
- Su
- Sudo
- Rshd
- Xinetd
- Adduser/deluser/etc
- Cron/Crontab
- Solaris BSM Auditing
- Dpkg (Debian package) logs
- Yum logs
- FTP servers:
- Proftpd
- Pure-ftpd
- vsftpd
- wu-ftpd
- Microsoft FTP server
- Solaris ftpd
- True64 ftpd
- HP-UX ftpd
- Mac OS FTP server
- Mail servers:
- Imapd and pop3d
- Postfix
- Sendmail
- vpopmail
- Microsoft Exchange
- Courier imapd/pop3d/pop3-ssl
- vm-pop3d
- SMF-SAV (Sendmail Sender Address Validator)
- Procmail
- Mailscanner
- Dovecot
- Web servers:
- Apache web server (access log and error log)
- IIS 5/6 web server (NSCA and W3C extended)
- Zeus web server
- Nginx web server
- Web applications:
- Horde imp
- Roundcube
- Modsecurity
- Wordpress
- Compaq Insight Manager server (cimserver)
- Firewalls:
- Iptables firewall
- Shorewall (iptables-based) firewall
- Solaris ipfilter firewall
- AIX ipsec/firewall
- Netscreen firewall
- Windows firewall
- Cisco PIX/ASA/FWSM
- SonicWall firewall
- Checkpoint firewall
- Databases:
- MySQL
- PostgreSQL
- NIDS:
- Cisco IOS IDS/IPS module
- Snort IDS (snort full, snort fast and snort syslog)
- Dragon NIDS
- Checkpoint Smart defense
- Security tools:
- Symantec Anti Virus
- Symantec Web Security
- Trend Micro OSCE (Office scan)
- Microsoft Security Essentials
- Nmap
- Arpwatch
- McAfee VirusScan Enterprise (v8 and v8.5)
- Suhosin (Hardened PHP)
- Others:
- Named (bind)
- Squid proxy
- Bluecoat proxy
- Cisco VPN Concentrator
- Cisco IOS routers
- Asterisk
- Vmware ESX
- Windows event logs (logins, logouts, audit information, etc)
- Windows Routing and Remote Access logs
- Generic Unix (True64, HP-UX, AIX, etc) authentication events (adduser, logins, logouts, etc)
- Generic Linux (Red Hat, Ubuntu, Suse, etc) authentication and system-level events