Hey Brian , I'm just getting started with ossec as well , and I just want to try to help based on my extremely limited experience with what I think is one of the best Open Source tools I've come across in a long time.
1) On the Windows agent box ,there is a local ossec.conf file you have to update manually that will point your agent box to the 'server' box. (c:\program files\ossec-agent\ossec.conf). I don't think this is mentioned anywhere in the documentation. ( If this statement isn't true, could someone please clarify ? - Thanks)
2) Try dropping down the default e-mail alert level (from say - 7 - to 3 - do this in the servers ossec.conf in the <alerts> section and <email_alert_level> ) - just for testing purposes - and once you're happy - pump the alert level back to =>7 so you're not inundated with relatively harmless events and their subsequent e-mail alerts.
Just a minor point , but the e-mails don't actually come from the agent box(es) , it comes from the server box ... so (as mentioned in the documentation) make sure your server/Linux box has all the necessary access to your SMTP box ( allowed to relay , allowed to connect etc. )
Hope this helps , and good luck ....
Chris Vanderkolff
EDULINX Canada Corporation
2 Robert Speck Parkway
Mississauga, ON
L4Z 1H8
(905) 306-2547
Cell (416) 818-4082
========================
| "Daniel Cid" <[EMAIL PROTECTED]>
Sent by: [email protected] 08/02/2006 10:07 PM
|
To: [email protected] cc: "Brian Avis" <[EMAIL PROTECTED]> Subject: [ossec-list] Re: Stupid newbie question. |
Hi Brian,
It is not a stupid question at all and I am constantly asked about it. If you
configured your e-mail correctly, you will receive e-mails for any relevant
alert (level >= 7). The lower severity alerts will not be e-mailed by default,
but you can look at them at /var/ossec/logs/alerts/2006/Aug/*.log
(where 2006 and Aug are the currently year and month). So you
would need to manually look at them or configure ossec to e-mail
all alerts (which can be painful to look at some times).
If you create a link to the logs directory from your web server, you will
certainly be able to see them, but just make sure to configure some
password authentication :)
*We are working on a user interface for ossec that would help solve
this kind of problem... Stay tuned.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 8/2/06, Brian Avis <[EMAIL PROTECTED]> wrote:
>
> Okay... I just installed ossec on a Linux box (as the server) and one
> windows box (as an agent). It appears to be up and running on both
> machines.
>
> Now for the stupid question. How do I view the alerts? Do I just wait
> for e-mail from ossec agents? Do I manually have to go through the text
> log files that ossec keeps? Is there something important I am missing?
>
> Or could I just create a link to the logs directory in my web server dir
> and view them that way?
>
>
>
> --
> Brian Avis
> SEARHC Medical Clinic
> Juneau, AK 99801
> (907) 463-4049
> Have a nice diurnal anomaly!
>
"This email message is intended only for the addressee(s) and contains information that may be confidential and/or copyright. If you are not the intended recipient please notify the sender by reply email and immediately delete this email. Use, disclosure or reproduction of this email by anyone other than the intended recipient(s) is strictly prohibited. No representation is made that this email or any attachments are free of viruses. Virus scanning is recommended and is the responsibility of the recipient". Ce courriel n’est destiné qu’au destinataire et contient des renseignements qui peuvent être confidentiels et/ou protégés par le droit d’auteur. Si vous n’êtes pas le destinataire visé, veuillez en avertir l’expéditeur par réponse au courriel et l’effacer ce courriel immédiatement. L’utilisation, la divulgation ou la reproduction de ce courriel par toute personne autre que le destinataire sont strictement interdites. L’expéditeur ne prétend aucunement que les annexes sont exemptes de virus. Une détection de virus est recommandée et le destinataire en a la responsabilité. ..
