I took out connection==secure
I am not getting anymore:
ossec-remoted(1501): No IP or network allowed in
the
access list for syslog. No
reason for running it. Exiting.
But I am still getting the following on the client:
2007/09/05 14:21:35 ossec-execd: Started (pid: 15288).
2007/09/05 14:21:35 ossec-agentd: No previous counter available for 'web'.
2007/09/05 14:21:35 ossec-agentd: Assigning counter for agent web: '0:0'.
2007/09/05 14:21:35 ossec-agentd: Assigning sender counter: 0:1157
2007/09/05 14:21:35 ossec-agentd: Started (pid: 15292).
2007/09/05 14:21:35 ossec-agentd: Connecting to server (192.168.0.11:1514).
2007/09/05 14:21:37 ossec-syscheckd: Started (pid: 15300).
2007/09/05 14:21:37 ossec-rootcheck: Started (pid: 15300).
2007/09/05 14:21:41 ossec-logcollector(1950): Analyzing file:
'/var/log/authlog'
.
2007/09/05 14:21:41 ossec-logcollector(1950): Analyzing file:
'/var/log/syslog'.
2007/09/05 14:21:41 ossec-logcollector(1950): Analyzing file:
'/usr/local/squid/
var/logs/access.log'.
2007/09/05 14:21:41 ossec-logcollector: Started (pid: 15296).
2007/09/05 14:21:45 ossec-logcollector: Process locked. Waiting for
permission..
.
2007/09/05 14:21:50 ossec-agentd(4101): Waiting for server reply (not
started).
2007/09/05 14:22:07 ossec-agentd(4101): Waiting for server reply (not
started).
2007/09/05 14:22:38 ossec-agentd(4101): Waiting for server reply (not
started).
2007/09/05 14:23:24 ossec-agentd(4101): Waiting for server reply (not
started).
2007/09/05 14:24:25 ossec-agentd(4101): Waiting for server reply (not
started).
2007/09/05 14:25:41 ossec-agentd(4101): Waiting for server reply (not
started).
2007/09/05 14:25:53 ossec-syscheckd: Process locked. Waiting for
permission...
2007/09/05 14:27:12 ossec-agentd(4101): Waiting for server reply (not
started).
2007/09/05 14:28:58 ossec-agentd(4101): Waiting for server reply (not
started).
2007/09/05 14:30:59 ossec-agentd(4101): Waiting for server reply (not
started).
2007/09/05 14:33:15 ossec-agentd(4101): Waiting for server reply (not
started).
2007/09/05 14:35:46 ossec-agentd(4101): Waiting for server reply (not
started).
2007/09/05 14:38:32 ossec-agentd(4101): Waiting for server reply (not
started).
2007/09/05 14:41:33 ossec-agentd(4101): Waiting for server reply (not
started).
2007/09/05 14:44:49 ossec-agentd(4101): Waiting for server reply (not
started).
2007/09/05 14:48:20 ossec-agentd(4101): Waiting for server reply (not
started).
2007/09/05 14:52:06 ossec-agentd(4101): Waiting for server reply (not
started).
2007/09/05 14:56:07 ossec-agentd(4101): Waiting for server reply (not
started).
2007/09/05 15:00:23 ossec-agentd(4101): Waiting for server reply (not
started).
2007/09/05 15:04:55 ossec-agentd(4101): Waiting for server reply (not
started).
2007/09/05 15:09:41 ossec-agentd(4101): Waiting for server reply (not
started)
netstat -an | more
UDP: IPv4
Local Address Remote Address State
-------------------- -------------------- ----------
192.168.0.40.39367 192.168.0.11.1514 Connected
On the server:
# ./list_agents -a
** No agent available.
# netstat -an | more
UDP: IPv4
Local Address Remote Address State
-------------------- -------------------- -------
*.1514 Idle
*.* Unbound
2007/09/05 14:20:40 ossec-maild: Started (pid: 8513).
2007/09/05 14:20:40 ossec-execd: Started (pid: 8517).
2007/09/05 14:20:40 ossec-analysisd: Reading rules file: 'rules_config.xml'
2007/09/05 14:20:40 ossec-analysisd: Reading rules file: 'pam_rules.xml'
2007/09/05 14:20:40 ossec-analysisd: Reading rules file: 'sshd_rules.xml'
2007/09/05 14:20:40 ossec-analysisd: Reading rules file: 'telnetd_rules.xml'
2007/09/05 14:20:40 ossec-analysisd: Reading rules file: 'syslog_rules.xml'
2007/09/05 14:20:40 ossec-analysisd: Reading rules file:
'arpwatch_rules.xml'
2007/09/05 14:20:40 ossec-analysisd: Reading rules file:
'symantec-av_rules.xml'
2007/09/05 14:20:40 ossec-analysisd: Reading rules file:
'symantec-ws_rules.xml'
2007/09/05 14:20:40 ossec-analysisd: Reading rules file: 'pix_rules.xml'
2007/09/05 14:20:40 ossec-analysisd: Reading rules file: 'named_rules.xml'
2007/09/05 14:20:40 ossec-analysisd: Reading rules file: 'smbd_rules.xml'
2007/09/05 14:20:40 ossec-analysisd: Reading rules file: 'vsftpd_rules.xml'
2007/09/05 14:20:40 ossec-analysisd: Reading rules file:
'pure-ftpd_rules.xml'
2007/09/05 14:20:40 ossec-analysisd: Reading rules file: 'proftpd_rules.xml'
2007/09/05 14:20:40 ossec-analysisd: Reading rules file: 'ms_ftpd_rules.xml'
2007/09/05 14:20:40 ossec-analysisd: Reading rules file:
'hordeimp_rules.xml'
2007/09/05 14:20:40 ossec-analysisd: Reading rules file:
'vpopmail_rules.xml'
2007/09/05 14:20:40 ossec-analysisd: Reading rules file: 'courier_rules.xml'
2007/09/05 14:20:40 ossec-analysisd: Reading rules file: 'web_rules.xml'
2007/09/05 14:20:40 ossec-analysisd: Reading rules file: 'apache_rules.xml'
2007/09/05 14:20:40 ossec-analysisd: Reading rules file: 'ids_rules.xml'
2007/09/05 14:20:40 ossec-analysisd: Reading rules file: 'squid_rules.xml'
2007/09/05 14:20:40 ossec-analysisd: Reading rules file:
'firewall_rules.xml'
2007/09/05 14:20:40 ossec-analysisd: Reading rules file:
'cisco-ios_rules.xml'
2007/09/05 14:20:40 ossec-analysisd: Reading rules file:
'netscreenfw_rules.xml'
2007/09/05 14:20:40 ossec-analysisd: Reading rules file: 'postfix_rules.xml'
2007/09/05 14:20:40 ossec-analysisd: Reading rules file:
'sendmail_rules.xml'
2007/09/05 14:20:40 ossec-analysisd: Reading rules file: 'imapd_rules.xml'
2007/09/05 14:20:40 ossec-analysisd: Reading rules file:
'mailscanner_rules.xml'
2007/09/05 14:20:40 ossec-analysisd: Reading rules file:
'ms-exchange_rules.xml'
2007/09/05 14:20:40 ossec-analysisd: Reading rules file: 'racoon_rules.xml'
2007/09/05 14:20:40 ossec-analysisd: Reading rules file:
'vpn_concentrator_rules.xml'
2007/09/05 14:20:40 ossec-analysisd: Reading rules file: 'spamd_rules.xml'
2007/09/05 14:20:40 ossec-analysisd: Reading rules file: 'msauth_rules.xml'
2007/09/05 14:20:40 ossec-analysisd: Reading rules file: 'attack_rules.xml'
2007/09/05 14:20:40 ossec-analysisd: Reading rules file: 'zeus_rules.xml'
2007/09/05 14:20:41 ossec-analysisd: Reading rules file: 'ossec_rules.xml'
2007/09/05 14:20:41 ossec-analysisd: Reading rules file: 'local_rules.xml'
2007/09/05 14:20:41 ossec-analysisd: Total rules enabled: '616'
2007/09/05 14:20:41 ossec-analysisd: Ignoring file: '/etc/mtab'
2007/09/05 14:20:41 ossec-analysisd: Ignoring file: '/etc/mnttab'
2007/09/05 14:20:41 ossec-analysisd: Ignoring file: '/etc/hosts.deny'
2007/09/05 14:20:41 ossec-analysisd: Ignoring file: '/etc/mail/statistics'
2007/09/05 14:20:41 ossec-analysisd: Ignoring file: '/etc/random-seed'
2007/09/05 14:20:41 ossec-analysisd: Ignoring file: '/etc/adjtime'
2007/09/05 14:20:41 ossec-analysisd: Ignoring file: '/etc/httpd/logs'
2007/09/05 14:20:41 ossec-analysisd: Ignoring file: '/etc/utmpx'
2007/09/05 14:20:41 ossec-analysisd: Ignoring file: '/etc/wtmpx'
2007/09/05 14:20:41 ossec-analysisd: Ignoring file: '/etc/cups/certs'
2007/09/05 14:20:41 ossec-analysisd: Ignoring file:
'C:\WINDOWS/System32/LogFiles'
2007/09/05 14:20:41 ossec-analysisd: Ignoring file: 'C:\WINDOWS/Debug'
2007/09/05 14:20:41 ossec-analysisd: Ignoring file:
'C:\WINDOWS/WindowsUpdate.log'
2007/09/05 14:20:41 ossec-analysisd: Ignoring file: 'C:\WINDOWS/iis6.log'
2007/09/05 14:20:41 ossec-analysisd: Ignoring file:
'C:\WINDOWS/system32/wbem/Logs'
2007/09/05 14:20:41 ossec-analysisd: Ignoring file:
'C:\WINDOWS/system32/wbem/Repository'
2007/09/05 14:20:41 ossec-analysisd: Ignoring file: 'C:\WINDOWS/Prefetch'
2007/09/05 14:20:41 ossec-analysisd: Ignoring file:
'C:\WINDOWS/PCHEALTH/HELPCTR/DataColl'
2007/09/05 14:20:41 ossec-analysisd: Ignoring file:
'C:\WINDOWS/SoftwareDistribution'
2007/09/05 14:20:41 ossec-analysisd: Ignoring file: 'C:\WINDOWS/Temp'
2007/09/05 14:20:41 ossec-analysisd: Ignoring file:
'C:\WINDOWS/system32/config'
2007/09/05 14:20:41 ossec-analysisd: Ignoring file:
'C:\WINDOWS/system32/spool'
2007/09/05 14:20:41 ossec-analysisd: Ignoring file:
'C:\WINDOWS/system32/CatRoot'
2007/09/05 14:20:41 ossec-analysisd: Started (pid: 8522).
2007/09/05 14:20:41 ossec-remoted: Started (pid: 8534).
2007/09/05 14:20:41 ossec-monitord: Started (pid: 8538).
2007/09/05 14:20:41 ossec-remoted: Started (pid: 8539).
2007/09/05 14:20:41 ossec-remoted: Assigning counter for agent web: '0:588'.
2007/09/05 14:20:41 ossec-remoted: Assigning counter for agent mail:
'0:484'.
2007/09/05 14:20:41 ossec-remoted: No previous counter available for
'media'.
2007/09/05 14:20:41 ossec-remoted: Assigning counter for agent media: '0:0'.
2007/09/05 14:20:41 ossec-remoted: Assigning sender counter: 0:2193
2007/09/05 14:20:43 ossec-syscheckd: Started (pid: 8532).
2007/09/05 14:20:43 ossec-rootcheck: Started (pid: 8532).
2007/09/05 14:20:47 ossec-logcollector(1950): Analyzing file:
'/var/log/authlog'.
2007/09/05 14:20:47 ossec-logcollector(1950): Analyzing file:
'/var/log/syslog'.
2007/09/05 14:20:47 ossec-logcollector(1950): Analyzing file:
'/var/log/maillog'.
2007/09/05 14:20:47 ossec-logcollector(1950): Analyzing file:
'/usr/local/squid/var/logs/access.log'.
2007/09/05 14:20:47 ossec-logcollector: Started (pid: 8526).
any help would be appreciated.
Thanks,
Hasib
On 9/5/07, Zarick Lau <[EMAIL PROTECTED]> wrote:
>
>
> Judged from the log content:
> 2007/09/04 15:47:22 ossec-remoted(1501): No IP or network allowed in
> the
> access list for syslog. No
> reason for running it. Exiting.
>
> And in the ossec.conf, you are duplicate <remote> section.
> <connection>syslog</connection>
> and
> <connection>secure</connection>
>
> is mutually exclusive.
>
> You should only try 'connection == secure' first.
>
> Best regards,
> Zarick
>
> On Sep 5, 4:15 am, "Hasibul Haque" < [EMAIL PROTECTED]> wrote:
> > Hi,
> >
> > I am trying to run 1 ossec server(solaris8 sparc) and 3 clients(solaris
> 10
> > sparc).
> > I have changed ipf firewall on all 4 machines to open udp 1514 but it
> seems
> > the server is not responding to the clients.
> > On the client logs, I have the following:
> >
> > 2007/09/04 15:50:21 ossec-rootcheck: Started (pid: 8924).
> > 2007/09/04 15:50:25 ossec-logcollector(1950): Analyzing file:
> > '/var/log/authlog'.
> > 2007/09/04 15:50:25 ossec-logcollector(1950): Analyzing file:
> > '/var/log/syslog'.
> > 2007/09/04 15:50:25 ossec-logcollector(1950): Analyzing file:
> > '/usr/local/squid/var/logs/access.log'.
> > 2007/09/04 15:50:25 ossec-logcollector: Started (pid: 8920).
> > 2007/09/04 15:50:27 ossec-logcollector: Process locked. Waiting for
> > permission...
> > 2007/09/04 15:50:34 ossec-agentd(4101): Waiting for server reply (not
> > started).
> > 2007/09/04 15:50:50 ossec-agentd(4101): Waiting for server reply (not
> > started).
> > 2007/09/04 15:51:21 ossec-agentd(4101): Waiting for server reply (not
> > started).
> > 2007/09/04 15:52:07 ossec-agentd(4101): Waiting for server reply (not
> > started).
> > 2007/09/04 15:53:08 ossec-agentd(4101): Waiting for server reply (not
> > started).
> > 2007/09/04 15:54:24 ossec-agentd(4101): Waiting for server reply (not
> > started).
> > 2007/09/04 15:54:37 ossec-syscheckd: Process locked. Waiting for
> > permission...
> > 2007/09/04 15:55:56 ossec-agentd(4101): Waiting for server reply (not
> > started).
> > 2007/09/04 15:57:42 ossec-agentd(4101): Waiting for server reply (not
> > started).
> > 2007/09/04 15:59:43 ossec-agentd(4101): Waiting for server reply (not
> > started).
> > 2007/09/04 16:01:59 ossec-agentd(4101): Waiting for server reply (not
> > started).
> >
> > On the server:
> >
> > 2007/09/04 15:47:22 ossec-maild: Started (pid: 14404).
> > 2007/09/04 15:47:22 ossec-execd: Started (pid: 14408).
> > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
> 'rules_config.xml'
> > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'pam_rules.xml'
> > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
> 'sshd_rules.xml'
> > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
> 'telnetd_rules.xml'
> > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
> 'syslog_rules.xml'
> > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
> > 'arpwatch_rules.xml'
> > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
> > 'symantec-av_rules.xml'
> > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
> > 'symantec-ws_rules.xml'
> > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'pix_rules.xml'
> > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
> 'named_rules.xml'
> > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
> 'smbd_rules.xml'
> > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
> 'vsftpd_rules.xml'
> > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
> > 'pure-ftpd_rules.xml'
> > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
> 'proftpd_rules.xml'
> > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
> 'ms_ftpd_rules.xml'
> > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
> > 'hordeimp_rules.xml'
> > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
> > 'vpopmail_rules.xml'
> > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
> 'courier_rules.xml'
> > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'web_rules.xml'
> > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
> 'apache_rules.xml'
> > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file: 'ids_rules.xml'
> > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
> 'squid_rules.xml'
> > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
> > 'firewall_rules.xml'
> > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
> > 'cisco-ios_rules.xml'
> > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
> > 'netscreenfw_rules.xml'
> > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
> 'postfix_rules.xml'
> > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
> > 'sendmail_rules.xml'
> > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
> 'imapd_rules.xml'
> > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
> > 'mailscanner_rules.xml'
> > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
> > 'ms-exchange_rules.xml'
> > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
> 'racoon_rules.xml'
> > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
> > 'vpn_concentrator_rules.xml'
> > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
> 'spamd_rules.xml'
> > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
> 'msauth_rules.xml'
> > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
> 'attack_rules.xml'
> > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
> 'zeus_rules.xml'
> > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
> 'ossec_rules.xml'
> > 2007/09/04 15:47:22 ossec-analysisd: Reading rules file:
> 'local_rules.xml'
> > 2007/09/04 15:47:22 ossec-analysisd: Total rules enabled: '616'
> > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: '/etc/mtab'
> > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: '/etc/mnttab'
> > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: '/etc/hosts.deny'
> > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file:
> '/etc/mail/statistics'
> > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: '/etc/random-seed'
> > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: '/etc/adjtime'
> > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: '/etc/httpd/logs'
> > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: '/etc/utmpx'
> > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: '/etc/wtmpx'
> > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: '/etc/cups/certs'
> > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file:
> > 'C:\WINDOWS/System32/LogFiles'
> > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: 'C:\WINDOWS/Debug'
> > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file:
> > 'C:\WINDOWS/WindowsUpdate.log'
> > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file:
> 'C:\WINDOWS/iis6.log'
> > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file:
> > 'C:\WINDOWS/system32/wbem/Logs'
> > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file:
> > 'C:\WINDOWS/system32/wbem/Repository'
> > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file:
> 'C:\WINDOWS/Prefetch'
> > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file:
> > 'C:\WINDOWS/PCHEALTH/HELPCTR/DataColl'
> > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file:
> > 'C:\WINDOWS/SoftwareDistribution'
> > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file: 'C:\WINDOWS/Temp'
> > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file:
> > 'C:\WINDOWS/system32/config'
> > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file:
> > 'C:\WINDOWS/system32/spool'
> > 2007/09/04 15:47:22 ossec-analysisd: Ignoring file:
> > 'C:\WINDOWS/system32/CatRoot'
> > 2007/09/04 15:47:22 ossec-analysisd: Started (pid: 14412).
> > 2007/09/04 15:47:22 ossec-remoted: Started (pid: 14424).
> > 2007/09/04 15:47:22 ossec-monitord: Started (pid: 14429).
> > 2007/09/04 15:47:22 ossec-remoted(1501): No IP or network allowed in the
>
> > access list for syslog. No
> > reason for running it. Exiting.
> > 2007/09/04 15:47:22 ossec-remoted: Started (pid: 14431).
> > 2007/09/04 15:47:23 ossec-remoted: Assigning counter for agent web:
> '0:588'.
> > 2007/09/04 15:47:23 ossec-remoted: Assigning counter for agent mail:
> > '0:484'.
> > 2007/09/04 15:47:23 ossec-remoted: No previous counter available for
> > 'media'.
> > 2007/09/04 15:47:23 ossec-remoted: Assigning counter for agent media:
> '0:0'.
> > 2007/09/04 15:47:23 ossec-remoted: Assigning sender counter: 0:2055
> > 2007/09/04 15:47:24 ossec-syscheckd: Started (pid: 14423).
> > 2007/09/04 15:47:24 ossec-rootcheck: Started (pid: 14423).
> > 2007/09/04 15:47:28 ossec-logcollector(1950): Analyzing file:
> > '/var/log/authlog'.
> > 2007/09/04 15:47:28 ossec-logcollector(1950): Analyzing file:
> > '/var/log/syslog'.
> > 2007/09/04 15:47:28 ossec-logcollector(1950): Analyzing file:
> > '/var/log/maillog'.
> > 2007/09/04 15:47:28 ossec-logcollector(1950): Analyzing file:
> > '/usr/local/squid/var/logs/access.log'
> > .
> > 2007/09/04 15:47:28 ossec-logcollector: Started (pid: 14416).
> >
> > more /etc/ossec- init.conf
> > DIRECTORY="/var/ossec"
> > VERSION="v1.3"
> > DATE="Tue Aug 28 12:27:24 EDT 2007"
> > TYPE="server"
> >
> > ossec-analysisd -V
> >
> > OSSEC HIDS v1.3 - Daniel B. Cid
> >
> > uname -a
> > SunOS dev 5.8 Generic_117350-46 sun4u sparc SUNW,UltraAX-i2 Solaris
> >
> > more /var/ossec/etc/ossec.conf
> > <ossec_config>
> > <global>
> > <email_notification>yes</email_notification>
> > <email_to>root</email_to>
> > <smtp_server>mail.abc.com</smtp_server>
> > <email_from>[EMAIL PROTECTED]</email_from>
> > </global>
> >
> > <syscheck>
> > <!-- Frequency that syscheck is executed - default to every 6 hours
> -->
> > <frequency>21600</frequency>
> >
> > <!-- Directories to check (perform all possible verifications) -->
> > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
> > <directories check_all="yes">/bin,/sbin</directories>
> >
> > <!-- Files/directories to ignore -->
> > <ignore>/etc/mtab</ignore>
> > <ignore>/etc/mnttab</ignore>
> > <ignore>/etc/hosts.deny</ignore>
> > <ignore>/etc/mail/statistics</ignore>
> > <ignore>/etc/random-seed</ignore>
> > <ignore>/etc/adjtime</ignore>
> > <ignore>/etc/httpd/logs</ignore>
> > <ignore>/etc/utmpx</ignore>
> > <ignore>/etc/wtmpx</ignore>
> > <ignore>/etc/cups/certs</ignore>
> >
> > <!-- Windows files to ignore -->
> > <ignore>C:\WINDOWS/System32/LogFiles</ignore>
> > <ignore>C:\WINDOWS/Debug</ignore>
> > <ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
> > <ignore>C:\WINDOWS/iis6.log</ignore>
> > <ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
> > <ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
> > <ignore>C:\WINDOWS/Prefetch</ignore>
> > <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
> > <ignore>C:\WINDOWS/SoftwareDistribution</ignore>
> > <ignore>C:\WINDOWS/Temp</ignore>
> > <ignore>C:\WINDOWS/system32/config</ignore>
> > <ignore>C:\WINDOWS/system32/spool</ignore>
> > <ignore>C:\WINDOWS/system32/CatRoot</ignore>
> > </syscheck>
> >
> > <rootcheck>
> >
> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
> >
> >
> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
> > </rootcheck>
> >
> > <active-response>
> > <disabled>yes</disabled>
> > </active-response>
> >
> > <remote>
> > <connection>syslog</connection>
> > </remote>
> >
> > <remote>
> > <connection>secure</connection>
> > </remote>
> >
> > <alerts>
> > <log_alert_level>1</log_alert_level>
> > <email_alert_level>7</email_alert_level>
> > </alerts>
> > <!-- Files to monitor (localfiles) -->
> >
> > <localfile>
> > <log_format>syslog</log_format>
> > <location>/var/log/authlog</location>
> > </localfile>
> >
> > <localfile>
> > <log_format>syslog</log_format>
> > <location>/var/log/syslog</location>
> > </localfile>
> >
> > <localfile>
> > <log_format>syslog</log_format>
> > <location>/var/log/maillog</location>
> > </localfile>
> >
> > <localfile>
> > <log_format>syslog</log_format>
> > <location>/usr/local/squid/var/logs/access.log</location>
> > </localfile>
> > </ossec_config>
> >
> > <ossec_config> <!-- rules global entry -->
> > <rules>
> > <include>rules_config.xml</include>
> > <include>pam_rules.xml</include>
> > <include>sshd_rules.xml</include>
> > <include>telnetd_rules.xml</include>
> > <include>syslog_rules.xml</include>
> > <include>arpwatch_rules.xml</include>
> > <include>symantec-av_rules.xml</include>
> > <include>symantec-ws_rules.xml</include>
> > <include>pix_rules.xml</include>
> > <include>named_rules.xml</include>
> > <include>smbd_rules.xml</include>
> > <include>vsftpd_rules.xml</include>
> > <include>pure-ftpd_rules.xml</include>
> > <include>proftpd_rules.xml</include>
> > <include>ms_ftpd_rules.xml</include>
> > <include>hordeimp_rules.xml</include>
> > <include>vpopmail_rules.xml</include>
> > <include>courier_rules.xml</include>
> > <include>web_rules.xml</include>
> > <include>apache_rules.xml</include>
> > <include>ids_rules.xml</include>
> > <include>squid_rules.xml</include>
> > <include>firewall_rules.xml</include>
> > <include>cisco-ios_rules.xml</include>
> > <include>netscreenfw_rules.xml</include>
> > <include>postfix_rules.xml</include>
> > <include>sendmail_rules.xml</include>
> > <include>imapd_rules.xml</include>
> > <include>mailscanner_rules.xml</include>
> > <include>ms-exchange_rules.xml</include>
> > <include>racoon_rules.xml</include>
> > <include>vpn_concentrator_rules.xml</include>
> > <include>spamd_rules.xml</include>
> > <include>msauth_rules.xml</include>
> > <!-- <include>policy_rules.xml</include> -->
> > <include>attack_rules.xml</include>
> > <include>zeus_rules.xml</include>
> > <include>ossec_rules.xml</include>
> > <include>local_rules.xml</include>
> > </rules>
> > </ossec_config> <!-- rules global entry -->
> >
> > <http://www.ossec.net/en/licensing.html >
>
>
