When you folks mentioned that the firewall log is stored normalized,
it brought a question to mind. With the logs being normalized, would
that affect the log file 'audit trail' if the logs were need for a
court case? I'm unsure if normalization of log files by security tools
destroys the admissibility of them (the logs) for the courts.

Any thoughts on this topic?

-Chuck (MdMonk)

On 5/23/07, Worawit Wang <[EMAIL PROTECTED]> wrote:
> Hi Daniel,
>
> Thanks for your answer. I get it now. Also sorry about my bad. While
> testing, I did a mistake.
>
> Here is a conclusion about log files (from my test result).
> - "archives.log" stored all log (firewall, syslog, other local monitored
> log). To enable archives log, add <logall>yes</logall> in ossec.conf.
> - "alerts.log" stored all alert except matched rule level is 0 or has no_log
> option.
> - "firewall.log" stored firewall log in a normalized way (log is identified
> as firewall log by decoder)
>
> If someone found any mistake, please tell me.
>
> Worawit Wang
>
>
> On 5/22/07, Daniel Cid <[EMAIL PROTECTED] > wrote:
> > Hi Worawit,
> >
> > The "no_log" option means do not log (in archives or alerts log) at all.
> > The reason we do that with firewall logs is because they are already
> > logged (in a normalized way) at
> /var/ossec/logs/firewall/firewall.log
> >
> > Hope it helps to clarify.
> >
> > --
> > Daniel B. Cid
> > dcid ( at ) ossec.net
> >
> > On 5/20/07, Worawit Wang <[EMAIL PROTECTED]> wrote:
> > > Hi Daniel,
> > >
> > > I have a problem about no_log option.
> > >
> > > I found "Multiple Firewall drop events from same source" (rule id 4151
> in
> > > firewall_rules.xml) alert but no "Firewall drop event" (rule id 4101) in
> > > alerts.log. When removing "<options>no_log</options>" line in rule id
> 4101,
> > > there are "Firewall drop event" alerts.
> > >
> > > In my opinion, no_log means log will not be logged in archives.log only.
> But
> > > I found no_log means log will not be logged in archives.log and
> alerts.log.
> > >
> > > What does it really mean? or I messed up someting???
> > >
> > > Thanks,
> > > Worawit
> > >
> >
>
>

Reply via email to