ossec.conf: Localfile options¶

Overview¶

Supported types¶

Localfile options are available in the the following installation types:

server
local

Location¶

All localfile options must be configured in the /var/ossec/etc/ossec.conf or /var/ossec/etc/shared/agent.conf and used within the <ossec_config> or <agent_config> tags.

XML excerpt to show location:

<ossec_config>
    <localfile>
        <!--
        Localfile options here
        -->
    </localfile>
</ossec_config>

Options¶

localfile
- location
  
  Specify the location of the log to be read. strftime formats may be used for log file names. For instance, a log file named file.log-2011-01-22 could be referenced with file.log-%Y-%m-%d. Wildcards may be used on non-Windows systems. When wildcards are used, the log files must exist at the time ossec-logcollector is started. It will not automatically begin monitoring new log files. strftime and wildcards cannot be used on the same entry.
  
  Default: Multiple (eg /var/log/messages)
  
  Allowed: Any log file
- log_format
  The format of the log being read.
  
  Note
  
  If the log has one entry per line, use syslog.
  
  Default: syslog
  
  Allowed:
  
  syslog
  This format is for plain text files in a syslog-like format. It can also be used when there is no support for the logging format, and the logs are single line messages.
  
  snort-full
  This is used for Snort’s full output format.
  
  snort-fast
  This is used for Snort’s fast output format.
  
  squid
  
  iis
  
  eventlog
  This is used for Microsoft Windows eventlog format.
  
  eventchannel
  This is used for Microsoft Windows eventlogs, using the new EventApi. This allows OSSEC to monitor both standard “Windows” eventlogs and more recent “Application and Services” logs. This support was added in 2.8.
  
  Warning
  
  eventchannel cannot be used on Windows systems older than Vista.
  
  mysql_log
  This is used for MySQL logs. It does not support multi-line logs.
  
  postgresql_log
  This is used for PostgreSQL logs. It does not support multi-line logs.
  
  nmapg
  This is used for monitoring files conforming to the grepable output from nmap.
  
  apache
  
  This format is for apache’s default log format.
  
  Example:
  
  [Wed Jun 9 23:32:26 2010] [error] [client 192.168.1.100] File does not exist: /htdocs/favicon.ico
  
  Example:
  
  192.168.1.100 - - [21/Jan/2010:08:31:09 -0500] "GET / HTTP/1.0" 200 2212
  
  command
  This format will be the output from the command (as run by root) defined by command. Each line of output will be treated as a separate log.
  
  full_command
  This format will be the output from the command (as run by root) defined by command. The entire output will be treated as a single log.
  
  Warning
  
  command and full_command cannot be used in the agent.conf, and must be configured in each system’s ossec.conf.
  
  djb-multilog
  
  multi-line
  This option will allow applications that log multiple lines per event to be monitored. This format requires the number of lines to be consistent. multi-line: is followed by the number of lines in each log entry. Each line will be combined with the previous lines until all lines are gathered. There may be multiple timestamps in a finalized event.
  
  Allowed: <log_format>multi-line: NUMBER</log_format>
  
  Example:
  Log messages:
  
  Aug 9 14:22:47 hostname log line one Aug 9 14:22:47 hostname log line two Aug 9 14:22:47 hostname log line three Aug 9 14:22:47 hostname log line four Aug 9 14:22:47 hostname log line five
  
  Log message as analyzed by ossec-analysisd:
  
  Aug 9 14:22:47 hostname log line one Aug 9 14:22:47 hostname log line two Aug 9 14:22:47 hostname log line three Aug 9 14:22:47 hostname log line four Aug 9 14:22:47 hostname log line five
  
  multi-line_indented
  This log format accepts logs spanning multiple lines with subsequent lines beginning with either a space or tab.
  
  Example:
  <log_format>multi-line_indented</log_format>
- command
  
  The command to be run. All output from this command will be read as one or more log messages depending on whether command or full_command is used.
  
  Allowed: Any commandline and arguments.
- alias
  An alias to identify the command. This will replace the command in the log message.
  
  For example <alias>usb-check</alias> would replace:
  
  ossec: output: 'reg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR':
  
  with:
  
  ossec: output: 'usb-check':
  
  Allowed: Any string.
- frequency
  
  The minimum time in seconds between command runs. The command will probably not run every frequency seconds exactly, but the time between runs will not be shorter than this setting. This is used with command and full_command.
  
  Allowed: Time in seconds.
- check_diff
  
  The output from an event will be stored in an internal database. Every time the same event is received, the output is compared to the previous output. If the output has changed an alert will be generated.
- only-future-events
  Only used with the eventchannel log format. By default, when OSSEC starts the eventchannel log format will read all events that ossec-logcollector missed since it was last stopped. It is possible to set only-future-events to yes in order to prevent this behaviour. When set to yes, OSSEC will only receive events that occured after the start of logcollector.
  
  <localfile> <location>System</location> <log_format>eventchannel</log_format> <only-future-events>yes</only-future-events> </localfile>
- query
  Only used with the eventchannel log format. It is possible to specify an XPATH query following the event schema (see Microsoft’s documentation) in order to filter the events that OSSEC will process.
  
  For example, the following configuration will only process events with an ID of 7040:
  
  <localfile> <location>System</location> <log_format>eventchannel</log_format> <query>Event/System[EventID=7040]</query> </localfile>