Hi John,
Answers inline.. On 10/2/06, John McKean <[EMAIL PROTECTED]> wrote:
First, OSSEC Rocks!
Thanks :) I bet every developer and contributor likes to hear it ..
Second, I would like to configure OSSEC to parse my web logs from our reverse proxy. The reverse proxy we use does not support the OSSEC agent. I will however FTP the web logs to the OSSEC server. So...
Can you show us a sample of the logs from your reverse proxy? If it is not on a common format (apache, iis or squid like) you will need a new decoder and some rules for it. Shouldn't be hard to do, and with some logs we can help you. Which operating system this reverse proxy runs? Does it support sending the logs via syslog? You will gain much more value by analyzing them as close to real time as possible, instead of reading them as a batch... *can you name the reverse proxy you are using?
If I have the following directory structure (for example): /var/log/proxyftp/domain1 /var/log/proxyftp/domain2 ... How can I configure OSSEC to parse the logs in these various directories and a specified time?
You will need to add a "localfile" entry for each log file. Something like: <localfile> <log_format>syslog</log_format> <location>/var/log/proxyftp/domain1</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/proxyftp/domain1</location> </localfile> But try to check if your proxy server does not support remote syslog or that you can not really install an agent on it...
Warm Regards, John R. McKean Sr. Systems Security Administrator Oregon State Lottery (503) 540-1462
Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net
