Dear Daniel I have tried to redirect the output of the errpt command to a file which I am trying to monitor with ossec but it is not working.
Is ossec capable to parse such kind of logs to format recoganised by ossec. I am pasting the ossec.conf file for the reference. It is perfectly monitoring the SULOG & AUTHLOG. ( I dont have much idea regarding other log files we should monitor with ossec) OSSEC.CONF <ossec_config> <client> <server-ip>x.x.x.x</server-ip> </client> <syscheck> <!-- Frequency that syscheck is executed - default to every 6 hours Tweaked to once in a day--> <frequency>86400</frequency> <!-- Directories to check (perform all possible verifications) --> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/bin,/sbin</directories> <!-- Files/directories to ignore --> <ignore>/etc/mtab</ignore> <ignore>/etc/mnttab</ignore> <ignore>/etc/hosts.deny</ignore> <ignore>/etc/mail/statistics</ignore> <ignore>/etc/random-seed</ignore> <ignore>/etc/adjtime</ignore> <ignore>/etc/httpd/logs</ignore> <ignore>/etc/utmpx</ignore> <ignore>/etc/wtmpx</ignore> <ignore>/etc/cups/certs</ignore> <ignore>/etc/dumpdates</ignore> <ignore>/etc/svc/volatile</ignore> <rootcheck> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> </rootcheck> <active-response> <disabled>yes</disabled> </active-response> <localfile> <log_format>syslog</log_format> <location>/var/adm/authlog</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/adm/sulog</location> </localfile> <!-- Customised file to check if it can read from the error log generated by errpt--> <localfile> <log_format>syslog</log_format> <location>/tmp/errpt_Mar272008</location> </localfile> <!-- Files to monitor (localfiles) --> </ossec_config> Regards Gagan On 3/25/08, Daniel Cid <[EMAIL PROTECTED]> wrote: > > Hi Gagan, > > I don't run AIX (or even have access to one), so it is a platform that > is very hard for us to support, but I think the SULOG and AUTHLOG are > good additions to be monitored by default. > > Regarding "errpt", I believe you can send its output to syslog, which > can easily be monitored by OSSEC: > http://unix.derkeiler.com/Mailing-Lists/AIX-L/2003-04/0058.html > > Btw, can you provide us with samples of your SULOG, AUTHLOG and the > changes you made to ossec.conf? If you can also show us samples of the > errpt log to syslog, we will make sure to add support for it on the > next version.... > > *with AIX and some other proprietary platforms, we need a lot of > community help to make sure we > support it well. > > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > > > > On Thu, Mar 6, 2008 at 7:32 AM, <[EMAIL PROTECTED]> wrote: > > > > Dear Mailing List > > > > I am facing some problems while configuring the agent on AIX 5.3. > > Prior to this I have done successful installations & they are working > > beautifully on windows and linux servers. While agent installtion it > > picks up the logs to be monitored and configure ossec.conf. > > During the agent instalation on AIX platform No parameters were taken > > by the install. > > I had manually edited the ossec.conf file and put SULOG and AUTHLOG as > > local file to be monitored (which are working fine). > > Can any one tell which other logs or files we should monitor for > > effectiveness on AIX box. > > Does Ossec is equipped with any parser which can read from the files > > normally not legible in syslog or normal log format. > > Rather those files are read by using errpt command on AIX. > > > > In other words how can we read important error logs on AIX box. What > > should be there configuration parameter in ossec.conf. > > > > Anyone who have implemented the same??? > > > > Thanks & Regards > > Gagan Bhatia > > >
