I am using ossec 0.8-3
I just upgraded from 0.8
1. I edited the rules files and during the upgrade ( I recall I was asked if I wanted to update the rules). the whole files where changed instead of particular rules. I added my own rules that now are lost. ( No big deal now).
I would consider a way to have user-defined rules files that wont be modified during an upgrade.
2. The apache decoder matches local apache files. In a setup I am testing I do have the apache log straight to syslog, therefore the lines starts with http[<pid-number>]: [error] ....
I changed the decoder.xml to match, but I will be in troubles on my next upgrade. RFC are welcome.
3. Picture this scenario:
a) I do not want to use IO and Disk space to log syslog locally in each server.
b) I have setup a central syslog that collects all syslogs from the remote machines.
c) I want to have the syslog logs and also the ossec logs.
d) I want to save syslog bandwith ( I red that ossec can save 70% traffic)
How should I set it up so I do not send the alert twice (once to syslog and once to ossec)?
Do I need to install ossec on each server even when there are no localsyslog files?
4. I wrote a little script that gives me a summary report for all the events.
--~--~---------~--~----~------------~-------~--~----~
-~----------~----~----~----~------~----~------~--~---
ossec_report.pl
Description: Perl program
