I'm attempting to get alerts sent to me from an internal syslog server , running ossec.
A pix debug file is at /var/log/PIX
I've setup a localfile of /var/log/PIX and when ossec starts it says it's monitoring the local file (/var/log/PIX) , and the pix_rules.xml file is loaded , however whenever any of the alerts occur ( I know they do because they show up in the /var/log/PIX file) , I receive no email alert from ossec whatsoever.
( Yes - I do receive e-mail alerts from other processes / error conditions - like sshd success authentication etc.)
The only thing I can think of is the log_format may be incorrect ? If it's not syslog, what would be the appropriate entry ?
Any ideas ?
Below is my ossec.conf ....
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>[EMAIL PROTECTED]</email_to>
<smtp_server>10.9.8.7</smtp_server>
<email_from>[EMAIL PROTECTED]</email_from>
</global>
<rules>
<include>rules_config.xml</include>
<include>pam_rules.xml</include>
<include>sshd_rules.xml</include>
<include>telnetd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>pix_rules.xml</include>
<include>named_rules.xml</include>
<include>smbd_rules.xml</include>
<include>vsftpd_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<include>hordeimp_rules.xml</include>
<include>web_rules.xml</include>
<include>apache_rules.xml</include>
<include>ids_rules.xml</include>
<include>squid_rules.xml</include>
<include>firewall_rules.xml</include>
<include>netscreenfw_rules.xml</include>
<include>postfix_rules.xml</include>
<include>sendmail_rules.xml</include>
<include>imapd_rules.xml</include>
<include>spamd_rules.xml</include>
<include>msauth_rules.xml</include>
<!-- <include>policy_rules.xml</include> -->
<include>attack_rules.xml</include>
</rules>
<syscheck>
<!-- Frequency that syscheck is executed - default every 2 hours -->
<frequency>7200</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<!-- Windows files to ignore -->
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
<ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
<ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
<ignore>C:\WINDOWS/Prefetch</ignore>
<ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution/DataStore</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution/ReportingEvents.log</ignore>
<ignore>C:\WINDOWS/Temp</ignore>
<ignore>C:\WINDOWS/system32/config/systemprofile/Local Settings</ignore>
<ignore>C:\WINDOWS/system32/config</ignore>
</syscheck>
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
</rootcheck>
<active-response>
<disabled>yes</disabled>
</active-response>
<remote>
<connection>secure</connection>
</remote>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>3</email_alert_level>
</alerts>
<!-- Files to monitor (localfiles) -->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/maillog</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/httpd/error_log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/httpd/access_log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/etc/httpd/logs/access_log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/etc/httpd/logs/error_log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/PIX</location>
</localfile>
</ossec_config>
Chris Vanderkolff
EDULINX Canada Corporation
2 Robert Speck Parkway
Mississauga, ON
L4Z 1H8
(905) 306-2547
Cell (416) 818-4082
========================
"This email message is intended only for the addressee(s) and contains information that may be confidential and/or copyright. If you are not the intended recipient please notify the sender by reply email and immediately delete this email. Use, disclosure or reproduction of this email by anyone other than the intended recipient(s) is strictly prohibited. No representation is made that this email or any attachments are free of viruses. Virus scanning is recommended and is the responsibility of the recipient". Ce courriel n’est destiné qu’au destinataire et contient des renseignements qui peuvent être confidentiels et/ou protégés par le droit d’auteur. Si vous n’êtes pas le destinataire visé, veuillez en avertir l’expéditeur par réponse au courriel et l’effacer ce courriel immédiatement. L’utilisation, la divulgation ou la reproduction de ce courriel par toute personne autre que le destinataire sont strictement interdites. L’expéditeur ne prétend aucunement que les annexes sont exemptes de virus. Une détection de virus est recommandée et le destinataire en a la responsabilité. ..
