Hi John,
Actually, instead of changing the config files, you can use the command add_localfile.sh present in the contrib directory (that comes with the ossec package): # cd ./contrib # ./add_localfile.sh /var/log/proxyftp/domain1 # ./add_localfile.sh /var/log/proxyftp/domain2 Running one at a time for each log file. Now, you may have some problems depending on how do you plan to update these files. If you are going to copy them over (changing the file inode every time), it will probably not work very well... This happens because ossec tries to seek to the end of file when it opens it for the first time and you may not get anything.. Next version we will have something to fix it (Meir is working on a log loaded for us :)). My suggestion for now is to do something like that: 1- Run the backup programs to get the logs 2- Call "cat" or any other command to append these logs to /var/log/all-proxy.log (cat /var/log/proxyftp/domain1 >> /var/log/all-proxy.log) 3- Configure ossec to read /var/log/all-proxy.log instead. In addition to that, does Novell Ichain uses IIS? The logs format are very similar... However, we will still need to have a decoder for that. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 10/3/06, John McKean <[EMAIL PROTECTED]> wrote:
Thanks for the clarification on what to type. Now, where do I type it? Which file gets the commands you document below. Also, how frequently will the referenced files get parsed by OSSEC? Unfortunately the reverse proxy we use (Novell iChain) does not support SYSLOG, only FTP. John R. McKean Sr. Systems Security Administrator Oregon State Lottery (503) 540-1462 >>>[EMAIL PROTECTED] 10/02/06 12:45 pm >>> ... You will need to add a "localfile" entry for each log file. Something like: <localfile> <log_format>syslog</log_format> <location>/var/log/proxyftp/domain1</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/proxyftp/domain1</location> </localfile> But try to check if your proxy server does not support remote syslog or that you can not really install an agent on it...
