-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [EMAIL PROTECTED] wrote: > gentuxx <[EMAIL PROTECTED]> writes: > >> Depending on what you're requirements are, try OSSEC-HIDS >> (www.ossec.net). I've been using it for a couple weeks now and it's >> pretty handy. The longer I use it, the more I add to it, the better it >> is. Unfortunately there isn't an ebuild for it (yet). But it's really >> easy to install. Plus it does a lot more than just log monitoring. > > You say it is easy to install and so it is, But once installed it > isn't at all clear what this thing does. > > I'm guessing somewhere in all the hoopla it presents you with some > analysis of logs. > > Its not one bit clear from there site how to get to that point. > > Sorry for the rant but I was sort of surprised to find no real > overview that tells what this tool does in some detail.
No worries about the "rant", I've seen worse. ;-) This is a budding project and documentation is rather sparse. It's actually something that I have recently championed. Some more documentation is available on the wiki (http://www.ossec.net/wiki) but, even that is limited at the moment. > > This is the overview on the home page: > > OSSEC HIDS is an Open Source Host-based Intrusion Detection System. It > performs log analysis, integrity checking, rootkit detection, > time-based alerting and active response. > > After that there is a manual the describes running the tool, but I > never see any detailed summary of what it really does and how to > access the analysis. > > I've gone way OT here but I hoped you might write to me privately and > describe in some detail what you do with it... > Your hopes are realized! (???) ;-) I'm not sure if the "FROM" address is truly a private address, so if you want to send a different address, I would be happy to help you where I can. OSSEC reports alerts a couple of different ways. If you DID enable mail notification, then if an event occurs that is higher than level 6 (by default), then (assuming you configured the mailhost and email address correctly) you should see an email describing the alert. This will depend on the logs and files that you are monitoring. If you did NOT enable email monitoring, then you can check the logs at '/var/ossec/logs/alerts/2006/$(month)/logfile.log' for alerts. "logfile.log" will represent the type of log and the day of the month (check http://www.ossec.net/wiki/index.php/Know_How:OSSEC_Logging and http://www.ossec.net/wiki/index.php/Know_How:Rules_Severity for more detail). Right now, I have ossec monitoring several logs on the "server" host as well as a couple "agents", one of them a Windows agent, including syslog, apache, and others. If you have any more questions please feel free to email me privately. I've included the ossec-list here in case others who use it can offer more than I. - -- gentux echo "hfouvyyAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge' gentux's gpg fingerprint ==> 5495 0388 67FF 0B89 1239 D840 4CF0 39E2 18D3 4A9E -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFE6pe6TPA54hjTSp4RAhMuAJ9XiW0QssujqUqmTlXretFVEQMvQQCeIqU8 D+45d+ffq7/PZ2Wwbm1xDOg= =+bUC -----END PGP SIGNATURE-----
