Hi Chris,
1-Yes, Windows 2008/Vista is supported by OSSEC. We have all the rules
with the new and old
event ids.
2-Inside the rule you can overwrite the default setting of only
emailing for alerts > 7. So, if you
look at, for example, rule 502:
<rule id="502" level="3">
<if_sid>500</if_sid>
<options>alert_by_email</options>
<match>Ossec started</match>
<description>Ossec server started.</description>
</rule>
It is level 3, but set to email the alert... You can also change that
for every rule by changing the option
<mail_alert_level>
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Sat, Feb 14, 2009 at 6:04 PM, Chris Kolb <[email protected]> wrote:
> Although I've only been using OSSEC for a couple of weeks, I believe it's
> one of the best tools I've used! I have three environments in which I wish
> to deploy it. The first, an environment comprised of mainly Windows Server
> 2003, is now being monitored and I feel that all is going well so far. The
> other two environments, however, are Windows 2008, which brings me to my
> first question.
>
>
>
> 1. Is Windows 2008 supported by OSSEC? I don't seem to see rules
> that are written specifically for Windows 2008, and unfortunately Microsoft
> did renumber all/most of the event IDs in this iteration of the OS. This
> Microsoft help and support page lists the event IDs:
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;947226, and this
> useful third party article expounds on the problem quite a bit:
> http://blogs.manageengine.com/eventloganalyzer/2008/12/08/windows-vista-and-2008-server-events/
>
> 2. I'm far from thoroughly acquainted with the OSSEC documentation
> just yet, but I have been over it enough that I'm writing some simple rules
> and doing some other tuning. However, I haven't quite figured out the alert
> levels yet. It seems that by default I'm supposed to receive emails when
> the alert level is 7 or higher… however, I get many alerts for level 3 and
> such. Why is this? On a related note, I've read that the packaged rules
> use alert levels 0-15, but other than learning that a higher alert level
> represents a more concerning event have not seen any list of what the
> various levels are intended to mean so that I may gain an understanding of
> how an alert level was assigned to each rule (and therefore know how to
> assign alert levels to my own rules). Is there such an explanation
> somewhere?
>
>
>
> Thanks for your assistance.
>
>
>
> Chris Kolb
> Manager of Information Security
>
> GDSX, Ltd.
> Phone: 972-612-7121
> Fax: 972-612-7021
>
>
>
> Confidentiality Notice: This e-mail contains information that is
> confidential. It is intended for the exclusive use of the individual or
> entity to whom it is addressed. If you are not the named recipient,
> disclosure or distribution of the information transmitted herewith is
> strictly prohibited and may be subject to legal restriction or sanction.
> Please notify the sender, by return e-mail or telephone, of any unintended
> recipients and delete the original message without making any copies.
>
>
