From OSSEC Wiki

Jump to: navigation, search

OSSEC Logging

[edit]

Introduction

Ossec supports three types of logs. Alert logging, firewall logging and event (archiving) logging.

Every message received is treated as an event. Any log message, integrity report, system information will be treated as such. Event logging is very expensive for the system because it will archive every event. However, they can be usefull to get the big picture if some attack happens.

Alert logging is the most useful one. An alert is generated when an event is matched against one of the detection rules. In addition to the logging, OSSEC can also generate e-mail notifications or execute external commands for them.


[edit]

Event logging

Inside the OSSEC default log directory (by default /var/ossec/logs) there is an entry for "archives" (/var/ossec/logs/archives). Inside this directory, all events will be stored by date. For example, all events received on May 22 of 2004, will be stored on: 

/var/ossec/logs/archives/2004/May/events-22.log

After each day, a hash (md5 +sha1) will be created for this specific day at: 

/var/ossec/logs/archives/2004/May/events-22.log.checksum

This hash will be the hash of the file from the day 22 plus the hash from the day 21.

The hash from the day 1, will be the hash from the day 31 (or 30 or 28) from the previous month.

This will ensure that no log will be modified. Also, for this to happen, all the logs (since the first day) will need to be modified.

[edit]

Alert logging

There will be a "alerts" directory on the OSSEC default logging directory. It will be organized on the same way the event logging is. Please read above to understand it.

Return to the Know How Article listing.

Retrieved from "http://www.ossec.net/wiki/index.php/Know_How:OSSEC_Logging"
Views
Personal tools