Hi Fred,
Alerts go from 0 to any number (up to u_int8). By default we only use from 0 to 15, but you can assign higher levels. In the order of priority, level 0 is the highest, followed by the "real" higher numbers. Regarding the localfile options, logcollector will by itself monitor the right file based on day (and on every day change it will attempt to read a new one). You don't need to restart ossec on every day change... *to make sure that an agent can connect the server, look at /var/ossec/queue/agent-info/ It will have information about all agents. Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 8/22/06, Fred <[EMAIL PROTECTED]> wrote:
Many thanks for the answer. For network traffic, yes, I could use tcpdump. I hope it is installed ! And yes, traffic being UDP, you cannot see any established connection (with "lsof" or "netstat"). But server's socket is well opened (everything seems OK with Agents and Server). Daniel / OSSEC Team ==> can you confirm that syscheckd doesn't need to be restarted every time a file name changes ? At last, thanks for the link with severity levels. I hadn't see it. But again, one thing is not clear: do levels go from 0 to 15 (in wiki, and what would be the most logical), or 1 to 16 (in manual) ?? Fred -----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of gentuxx Sent: Tuesday, August 22, 2006 12:42 AM To: [email protected] Cc: [EMAIL PROTECTED] Subject: [ossec-list] Re: Alert emails not send (or received ?) and other features request -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Fred wrote: > Message > Hi everyone, > > I have some more questions with OSSEC... (which I try to deploy on > 14 servers in a complex network). > > Now that configuration files seem correctly parsed (was another > subject), I don't receive any more alert email...? So here are my > questions: > > - how to be sure that agents connect with OSSEC Server ? (forget > sniffers like Ethereal, that's forbidden). What about tcpdump or snoop (Solaris). These utilities are usually installed by default, depending on which *nix you're using. Traffic from agent to server is UDP, so I don't believe that it will show up in a netstat as having an "ESTABLISHED" connection. But, on the server you should see that there is a UDP socket open. > - checked localfiles change every day (with "%Y-%m-%d"). Does > OSSEC Agent re-read (or re-parse) conf file as needed (so, in my > case, every day) ? AFAIK, you need to restart ossec if you make any changes to the config file. But looking at the source, I *believe* the syscheckd reads its own config file everytime it goes to do a check. > - if a localfile to check doesn't exist a day, but exist next > day, will OSSEC check it, or should OSSEC Agent be restarted ? It should get picked up, but may not alert depending on file location, name, etc. > - in Server conf file, what is the most "noisy" severity level: > 1 or 16 ? I would say "16", like syslog severity level, but would > like to be sure. 1 is the most "noisy", as in, will generate the most events. 16 is the most severe. You can get more info from the Wiki here: http://www.ossec.net/wiki/index.php/Know_How:Rules_Severity > > Many thanks ! > > Fred > - -- gentux echo "hfouvyyAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge' gentux's gpg fingerprint ==> 5495 0388 67FF 0B89 1239 D840 4CF0 39E2 18D3 4A9E -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFE6ja0TPA54hjTSp4RAiEOAKDLU00zOfyX6CWDhriUbizn+YM9bgCg3WVb VfJQ+Cm9zzNBt33Ny5/Bkuw= =WDyX -----END PGP SIGNATURE-----
