Good morning list, I have a few questions regarding OSSEC configuration. My last email wasn't replied to, so I'll paste that at the end of this email as well. 4. How can I tell if the rootcheck daemon is configured and running properly? Does it log anywhere? I see "2008/03/30 08:18:20 ossec-rootcheck: System audit file not configured." in /var/ossec/logs/ossec.log. What further configuration do I need to do on my server and agents? 5. What features does OSSEC have regarding "policy enforcement"? 6. Has anyone on this list (besides Daniel of course) utilized commercial support available for OSSEC? How was your experience? Older questions: 1. The instructions here ( http://www.ossec.net/wiki/index.php/Know_How:DatabaseOutput <http://www.ossec.net/wiki/index.php/Know_How:DatabaseOutput> ) indicate you can compile OSSEC to output to a database. Does that mean that OSSEC will ONLY log to the database, or will it log to the database in ADDITION to its normal functionality?
2. How would logging to a database affect usage of the WUI? 3. I am working on a log aggregation project. Can OSSEC store _everything_ it sees in logs rather than just "alerts" or "events"? In this thread ( http://groups.google.com/group/ossec-list/browse_thread/thread/251ae94b5 0420a6f/cbd7b7cc6e9efe41?lnk=gst&q=syslog-ng#cbd7b7cc6e9efe41 ), Daniel indicates a log_all parameter. Where does this go and how does it work? I can't find anything in the wiki or manual. Thanks! Matt ------------------------------------------ The contents of this message, together with any attachments, are intended only for the use of the person(s) to which they are addressed and may contain confidential and/or privileged information. Further, any medical information herein is confidential and protected by law. It is unlawful for unauthorized persons to use, review, copy, disclose, or disseminate confidential medical information. If you are not the intended recipient, immediately advise the sender and delete this message and any attachments. Any distribution, or copying of this message, or any attachment, is prohibited.
