Hi Matthew, Answers inline...
On Tue, Apr 1, 2008 at 12:15 PM, Gansert, Matthew A <[EMAIL PROTECTED]> wrote: > > > Good morning list, > > I have a few questions regarding OSSEC configuration. My last email wasn't > replied to, so I'll paste that at the end of this email as well. > 4. How can I tell if the rootcheck daemon is configured and running > properly? Does it log anywhere? I see "2008/03/30 08:18:20 > ossec-rootcheck: System audit file not configured." in > /var/ossec/logs/ossec.log. What further configuration do I need to do on my > server and agents? If you look at /var/ossec/queue/rootcheck/ you will see a file for each agent. If rootcheck is running, you will see messages in there. > 5. What features does OSSEC have regarding "policy enforcement"? Take a look at: http://www.ossec.net/wiki/index.php/Know_How:WindowsPolicy > 6. Has anyone on this list (besides Daniel of course) utilized commercial > support available for OSSEC? How was your experience? It was great! :) > Older questions: > > > 1. The instructions here ( > http://www.ossec.net/wiki/index.php/Know_How:DatabaseOutput ) indicate > you can compile OSSEC to output to a database. Does that mean that > OSSEC will ONLY log to the database, or will it log to the database in > ADDITION to its normal functionality? It will log to the database in addition to the normal /var/ossec/log/alerts/. > 2. How would logging to a database affect usage of the WUI? It doesn't at all. The WUI still uses the log files and they are not changed with the database output. > 3. I am working on a log aggregation project. Can OSSEC store > _everything_ it sees in logs rather than just "alerts" or "events"? In this > thread ( > http://groups.google.com/group/ossec-list/browse_thread/thread/251ae94b50420a6f/cbd7b7cc6e9efe41?lnk=gst&q=syslog-ng#cbd7b7cc6e9efe41 > ), Daniel indicates a log_all parameter. Where does this go and how does > it work? I can't find anything in the wiki or manual. Yes, it can. It will log everything under /var/ossec/logs/store/Year/Month/day. If you don't like the way it logs everything, you can also keep your logs stored on the normal way via syslog (/var/log) and configure ossec to read the logs from there... > Thanks! Matt Hope it helps.. -- Daniel B. Cid dcid ( at ) ossec.net
