gentuxx <[EMAIL PROTECTED]> writes:
>> This is the overview on the home page: >> >> OSSEC HIDS is an Open Source Host-based Intrusion Detection System. It >> performs log analysis, integrity checking, rootkit detection, >> time-based alerting and active response. >> >> After that there is a manual the describes running the tool, but I >> never see any detailed summary of what it really does and how to >> access the analysis. >> >> I've gone way OT here but I hoped you might write to me privately and >> describe in some detail what you do with it... >> > Your hopes are realized! (???) ;-) I'm not sure if the "FROM" address > is truly a private address, so if you want to send a different address, > I would be happy to help you where I can. OSSEC reports alerts a couple > of different ways. If you DID enable mail notification, then if an > event occurs that is higher than level 6 (by default), then (assuming > you configured the mailhost and email address correctly) you should see > an email describing the alert. This will depend on the logs and files > that you are monitoring. If you did NOT enable email monitoring, then > you can check the logs at > '/var/ossec/logs/alerts/2006/$(month)/logfile.log' for alerts. > "logfile.log" will represent the type of log and the day of the month > (check http://www.ossec.net/wiki/index.php/Know_How:OSSEC_Logging and > http://www.ossec.net/wiki/index.php/Know_How:Rules_Severity for more > detail). Thanks... the From address is a real one... no munging. I did setup mail alert and did get one so apparently there is a default set of log files being monitored. Looking at the log area you mentioned I do see detailed analysis. Some non-user attemtps to login including the IP etc. Good stuff there. > Right now, I have ossec monitoring several logs on the "server" host as > well as a couple "agents", one of them a Windows agent, including > syslog, apache, and others. If you have any more questions please feel > free to email me privately. I've included the ossec-list here in case > others who use it can offer more than I. I thought I'd join the list so my response would not be rejected but the ossec FAQ doesn't bother to mention the address where I might do that... but I've left the Cc in place the list doesn't require membership before accepting posts. OK, here I'm a bit confused about the server/agent setup. I took it that one needs to setup a server and at least one agent to see reports. I haven't ventured into monitoring on windows yet but I guessed that, on my gentoo box I needed both server and agent to see anything usefull. Is that right or close so far? All I see in /etc/ossec-init.conf is: DIRECTORY="/var/ossec" VERSION="v0.9-1" DATE="Mon Aug 21 23:41:54 CDT 2006" TYPE="server" There appears to be NO man pages with the source. Further in toplevel I see a file `CONFIG' that has this non-helpfull bit: == Configuring OSSEC == Just follow the steps from the install.sh script. More information at http://www.ossec.net/en/manual.html Going to the suggested URL, then thru the list to the one on `config'. I find silly non-usefull baloney like this: Some of these options should only be used by the "agent" installation and some should only be used on the "server" or "local" installations. The list bellow shows each installation type and their options: Apparently `server = local' but really it is different so why not explain that? This document appears to be written by children who were unable to keep a consistent idea throughout. The bit about generating a key is completely confusing. I'm told to cut and paste it to `the agent side'. But as I followed along with ./install.sh I saw nothing that looked like an `agent side'. No telling what that was supposed to mean. Then I'm pointed to unreadable pile of XML in /var/ossec/etc/ossec.conf Apparenty the authors have ignored the time honored variable = value style of config. So, ok I have a default config at /var/ossec/etc/ossec.conf. Far as I can tell, to modify that I need to use some longwinded complicated inserts that aren't really explained anywhere. Can you show how you've changed the default config and why?
