Hi Quenten, I'm glad has been helpful :) Can you show us a few samples of your firewall logs? Right now we only support iptables, ipfw, aix ipsec and ipf. If it is being parsed correctly, you should see events at:
/var/ossec/logs/firewall/2006/Jun/ossec-firewall-12.log (for todays log, for example). Regarding the alerts, we currently don't do much correlation for firewall logs. Besides the files above, the only alert we could generate is if we see multiple firewall denies from the same source IP in the small period of time (to be more accurate, 16 firewall denies within 2 minutes). We still have a lot of work to do regarding firewall logs correlation and any suggestions to improve it is very welcome :) Thanks -- Daniel B. Cid dcid @ ( at ) ossec.net On 6/11/06, Quenten Griffith <[EMAIL PROTECTED]> wrote: > I have setup OSSEC and it is a great tool. It has already caught a few > things for me. I about to enable Active Response as well to help stop the > brute force SSH attackes I keep on getting. I have not been able to get > OSSEC to alert me on my firewall log however. It is generated with > syslog-ng and I added to my local list as a syslog type. So far I have yet > to recive one alert on this log. I get a lot of drops during the day > because of attempting hacks in my fwlog however OSSEC does not send me > anything. What is the alert looking for in firewall logs? > > > > --~--~---------~--~----~------------~-------~--~----~ -~----------~----~----~----~------~----~------~--~---
