When you folks mentioned that the firewall log is stored normalized, it brought a question to mind. With the logs being normalized, would that affect the log file 'audit trail' if the logs were need for a court case? I'm unsure if normalization of log files by security tools destroys the admissibility of them (the logs) for the courts.
Any thoughts on this topic? -Chuck (MdMonk) On 5/23/07, Worawit Wang <[EMAIL PROTECTED]> wrote: > Hi Daniel, > > Thanks for your answer. I get it now. Also sorry about my bad. While > testing, I did a mistake. > > Here is a conclusion about log files (from my test result). > - "archives.log" stored all log (firewall, syslog, other local monitored > log). To enable archives log, add <logall>yes</logall> in ossec.conf. > - "alerts.log" stored all alert except matched rule level is 0 or has no_log > option. > - "firewall.log" stored firewall log in a normalized way (log is identified > as firewall log by decoder) > > If someone found any mistake, please tell me. > > Worawit Wang > > > On 5/22/07, Daniel Cid <[EMAIL PROTECTED] > wrote: > > Hi Worawit, > > > > The "no_log" option means do not log (in archives or alerts log) at all. > > The reason we do that with firewall logs is because they are already > > logged (in a normalized way) at > /var/ossec/logs/firewall/firewall.log > > > > Hope it helps to clarify. > > > > -- > > Daniel B. Cid > > dcid ( at ) ossec.net > > > > On 5/20/07, Worawit Wang <[EMAIL PROTECTED]> wrote: > > > Hi Daniel, > > > > > > I have a problem about no_log option. > > > > > > I found "Multiple Firewall drop events from same source" (rule id 4151 > in > > > firewall_rules.xml) alert but no "Firewall drop event" (rule id 4101) in > > > alerts.log. When removing "<options>no_log</options>" line in rule id > 4101, > > > there are "Firewall drop event" alerts. > > > > > > In my opinion, no_log means log will not be logged in archives.log only. > But > > > I found no_log means log will not be logged in archives.log and > alerts.log. > > > > > > What does it really mean? or I messed up someting??? > > > > > > Thanks, > > > Worawit > > > > > > >
