For "http://www.novell.com/"; Netcraft reports:
> OS Server Last changed IP address Netblock Owner > NetWare Apache 19-Sep-2006 130.57.5.25 Novell, Inc. > NetWare Apache 18-Sep-2006 130.57.5.25 Novell, Inc. > NetWare Apache 5-Sep-2006 130.57.5.25 Novell, Inc. > NetWare Apache 3-Sep-2006 130.57.5.25 Novell, Inc. > NetWare Apache 19-Jun-2006 130.57.5.25 Novell, Inc. > unknown Apache 18-Jun-2006 130.57.5.25 Novell, Inc. > NetWare Apache 4-Jun-2006 130.57.5.25 Novell, Inc. > NetWare Apache 5-May-2006 130.57.5.25 Novell, Inc. > NetWare Apache 20-Dec-2005 130.57.4.27 Novell, Inc. > unknown Apache 19-Dec-2005 130.57.4.27 Novell, Inc. For http://naxos.novell.com/ Netcraft reports: > OS Server Last changed IP address > Netblock Owner > Windows 2000 Microsoft-IIS/5.0 14-Sep-2006 130.57.1.13 > Novell, Inc. > Windows 2000 Microsoft-IIS/5.0 8-Jul-2006 130.57.1.13 > Novell, Inc. > Windows 2000 Microsoft-IIS/5.0 15-Jun-2006 130.57.1.13 > Novell, Inc. > Windows 2000 Microsoft-IIS/5.0 9-Apr-2006 130.57.1.13 > Novell, Inc. > unknown Microsoft-IIS/5.0 8-Apr-2006 130.57.1.13 > Novell, Inc. > Windows 2000 Microsoft-IIS/5.0 26-May-2005 130.57.1.13 > Novell, Inc. > unknown Microsoft-IIS/5.0 22-May-2005 130.57.1.13 > Novell, Inc. > Windows 2000 Microsoft-IIS/5.0 27-May-2004 130.57.1.13 > Novell, Inc. The above is only a tip of the iceberg. John McKean skrev: > Thanks for the tip. I will indeed cat the logs to a single file for > parsing. > > If Novell used Microsoft IIS that would be pretty funny :) Novell > usually uses Apache for web servers. I'm not quite sure what they are > using for iChain... I will see if I can configure the logs to be more > Apache like. > > Thanks! > >>>> [EMAIL PROTECTED] 10/4/2006 8:13:59 AM >>> > > > Hi John, > > Actually, instead of changing the config files, you can use the > command > add_localfile.sh present in the contrib directory (that comes with the > ossec package): > > # cd ./contrib > # ./add_localfile.sh /var/log/proxyftp/domain1 > # ./add_localfile.sh /var/log/proxyftp/domain2 > > Running one at a time for each log file. Now, you may have some > problems > depending on how do you plan to update these files. If you are going > to > copy them over (changing the file inode every time), it will probably > not work very well... This happens because ossec tries to seek to the > end of file when it opens it for the first time and you may not get > anything.. > Next version we will have something to fix it (Meir is working on a log > loaded > for us :)). > > My suggestion for now is to do something like that: > > 1- Run the backup programs to get the logs > 2- Call "cat" or any other command to append these logs to > /var/log/all-proxy.log > (cat /var/log/proxyftp/domain1 >> /var/log/all-proxy.log) > 3- Configure ossec to read /var/log/all-proxy.log instead. > > In addition to that, does Novell Ichain uses IIS? The logs format are > very > similar... However, we will still need to have a decoder for that. > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > > > > On 10/3/06, John McKean <[EMAIL PROTECTED]> wrote: >> >> Thanks for the clarification on what to type. Now, where do I type > it? >> Which file gets the commands you document below. >> >> Also, how frequently will the referenced files get parsed by OSSEC? >> >> Unfortunately the reverse proxy we use (Novell iChain) does not > support >> SYSLOG, only FTP. >> >> >> John R. McKean >> Sr. Systems Security Administrator >> Oregon State Lottery >> (503) 540-1462 >> >>>>> [EMAIL PROTECTED] 10/02/06 12:45 pm >>> >> ... >> >> You will need to add a "localfile" entry for each log file. Something > like: >> <localfile> >> <log_format>syslog</log_format> >> <location>/var/log/proxyftp/domain1</location> >> </localfile> >> >> <localfile> >> <log_format>syslog</log_format> >> <location>/var/log/proxyftp/domain1</location> >> </localfile> >> >> But try to check if your proxy server does not support remote syslog >> or that you can not really install an agent on it... >> >> > > -- Regards: Kalevi Nyman
