Hi Daniel, Thanks for your answer. I get it now. Also sorry about my bad. While testing, I did a mistake.
Here is a conclusion about log files (from my test result). - "archives.log" stored all log (firewall, syslog, other local monitored log). To enable archives log, add <logall>yes</logall> in ossec.conf. - "alerts.log" stored all alert except matched rule level is 0 or has no_log option. - "firewall.log" stored firewall log in a normalized way (log is identified as firewall log by decoder) If someone found any mistake, please tell me. Worawit Wang On 5/22/07, Daniel Cid <[EMAIL PROTECTED]> wrote: > > Hi Worawit, > > The "no_log" option means do not log (in archives or alerts log) at all. > The reason we do that with firewall logs is because they are already > logged (in a normalized way) at /var/ossec/logs/firewall/firewall.log > > Hope it helps to clarify. > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On 5/20/07, Worawit Wang <[EMAIL PROTECTED]> wrote: > > Hi Daniel, > > > > I have a problem about no_log option. > > > > I found "Multiple Firewall drop events from same source" (rule id 4151 > in > > firewall_rules.xml) alert but no "Firewall drop event" (rule id 4101) in > > alerts.log. When removing "<options>no_log</options>" line in rule id > 4101, > > there are "Firewall drop event" alerts. > > > > In my opinion, no_log means log will not be logged in archives.log only. > But > > I found no_log means log will not be logged in archives.log and > alerts.log. > > > > What does it really mean? or I messed up someting??? > > > > Thanks, > > Worawit > > >
