Hi Dave Sorry for the late reply as I was out of Office
I followed the steps, but still I am not receiving the logs , including from CISCO router as well Also can I search these logs via the web interface, or can I create any queries Kindly help Muraleedaran Kanapathy| Linux/Unix System Engineer - ISS Department Voice +966(1) 288-8888 ext 1422 | Fax +966(1) 288-8899 ext 1422 Integrated Networks | Faisaliah Tower | Level 7A | PO Box 53553, Riyadh 11593, KSA | GMT +3 | Email muralee.kanapa...@inet.net.sa Disclaimer: This electronic mail message contains information that (a) is or may be LEGALLY PRIVILEGED, CONFIDENTIAL, ROPRIETARY IN NATURE, OR OTHERWISE PROTECTED BY LAW FROM DISCLOSURE, and (b) is intended only for the use of the Addressee(s) named herein. If you are not the intended recipient, an addressee, or the person responsible for delivering this to an addressee, you are hereby notified that reading, using, copying, or distributing any part of this message is strictly prohibited. If you have received this electronic mail message in error, please contact us immediately and take the steps necessary to delete the message completely from your computer system. Unless explicitly attributed, the opinions expressed in this message do not necessarily represent the official position or opinions of Integrated Networks LLC., whilst all care has been taken, Integrated Networks LLC. disclaims all liability for loss or damage to person or property arising from this message being infected by computer virus or any type of contamination. -----Original Message----- From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On Behalf Of Dave S Sent: Thursday, April 29, 2010 6:27 PM To: ossec-list Subject: [ossec-list] Re: SYSLOG-NG AND OSSEC FOR LOG ANALYSING Muraleedaran, Regarding Windows Event logs: if you are getting the Security logs, then all others should be included as well. Check the ossec.conf on your Windows agent and make sure the following tags are included: <ossec_config> <localfile> <location>Application</location> <log_format>eventlog</log_format> </localfile> <localfile> <location>Security</location> <log_format>eventlog</log_format> </localfile> <localfile> <location>System</location> <log_format>eventlog</log_format> </localfile> ..... Next, check ossec.conf on the server. Add the <logall> tag to the global section as such: <ossec_config> <global> <logall>yes</logall> Restart the ossec server and now all events should be logged in /var/ ossec/logs/ossec.log This will tell you if you are receiving the log messages. It's possible they are not generating alerts because of a rule. You may want to remove the <logall> tag later because ossec.log gets very big fast. Hope that helps. - Dave
