From OSSEC Wiki

Contents 1 OSSEC Frequently Asked Questions 1.1 Section 1 (Understanding ossec) 1.2 Section 2 (Tutorials) 1.3 Section 3 (When the unexpected happens) 1.4 Section 4 (How to..) 1.5 Section 5 (Development) 1.6 Section 6 (Configuring external logging) 1.7 Section 7 (Known Bugs)

OSSEC Frequently Asked Questions

Section 1 (Understanding ossec)

• 1.01 What is an HIDS (Host-based Intrusion Detection System)?
• 1.02 What is log analysis?
• 1.03 What is LIDS (Log-Based intrusion detection?
• 1.04 What is OSSEC HIDS?
• 1.20 Is there a list of ossec users?
• 1.25 What do ossec users say about it?
• 1.30 What are the platforms/operating systems supported by ossec?
• 1.40 What log formats/devices are supported by ossec?
• 1.45 I am lost! How do I get started?
• 1.50 How do I install ossec?
• 1.51 What packages do I need before installing ossec?

Section 2 (Tutorials)

• 2.10 How does the decoder.xml relate to the rules?
• 2.20 Is there any mapping between alerts and threats/attacks taxonomies?
• 2.30 Regular Expressions Syntax for Rules and Decoders
• 2.35 What syslog formats OSSEC support?
• 2.40 What this Windows event ID means?
• 2.50 What does the OSSEC Windows Agent do?
• 2.51 Understanding the Windows policy Monitoring on OSSEC
• 2.60 Creating Customized Active Responses
• 2.70 How to set up Database Output?
• 2.80 How to enable Prelude support?
• 2.90 How to perform a binary install on systems without a compiler?

Section 3 (When the unexpected happens)

• 3.10 How do I troubleshoot ossec?
• 3.20 How do I debug ossec?
• 3.30 How do I report a bug related to ossec?
• 3.40 The agent/server communication is not working. How to fix it?
• 3.41 What does "1403 - Incorrectly formated message" means?
• 3.42 What does "1210 - Queue not accessible?" means
• 3.45 One solution for syscheck not sending any file data to the server
• 3.50 Fixing "Duplicate errors" problems
• 3.70 When adding multiple agents, OSSEC doesn't work properly (crashes)

Section 4 (How to..)

• 4.01 How to ignore rules that generate too many false positives?
• 4.02 How do I configure ossec to never block some IPs in the active response?
• 4.03 Why am I not receiving emails from my ossec server?
• 4.06 Why is OSSEC not seeing my iptables messages?
• 4.07 How to correlate multiple Snort ids with OSSEC?
• 4.08 How to add multiple logs to be monitored?
• 4.09 How to monitor systems behind a NAT or with dynamic IPs (DHCP)?
• 4.10 Why am I getting multiple 675 events from AD + Samba?
• 4.11 How do I reduce the amount of CPU used by Syscheck?
• 4.12 How does the log signing work?
• 4.13 How to specify granular options for the e-mail alerting?
• 4.14 How (Why) to monitor nmap output?
• 4.15 Why is ossec telling me /usr/bin/foobar's checksum has changed?
• 4.16 Why is ossec sending me so many emails (Alerts with a level less than 7)?
• 4.17 How can I automate adding agents to ossec?
• 4.20 Is there a place where I can get additional rules?

Section 5 (Development)

• 5.01 How to start helping with the project?
• 5.21 Submitting patches
• 5.31 Beta testing

Section 6 (Configuring external logging)

• 6.10 Configuring PIX to send logs to ossec
• 6.20 Configuring Cisco IOS routers to send logs to ossec
• 6.25 Configuring Checkpoint to send logs to ossec
• 6.26 Configuring iptables to send logs to ossec
• 6.30 Configuring PostgreSQL Logging
• 6.40 Configuring MySQL Logging

Section 7 (Known Bugs)

• 7.01 v1.3, Segmentation fault on invalid rule containing frequency directive without if_matched_sid directive

• 7.21 v1.3, OSSEC-WUI Permission Denied Errors Due to SELinux on Fedora / Redhat Based Systems