Update: By adding all the days DHCP log files into my ossec.conf file on the Win2003 DHCP server we use worked, I now see the monitoring of the logs. Note: Restart Ossec service, then DHCP Service, then Ossec service again. Will keep my eye on it to make sure it still works ok after few days.
-Derek > > phish phreek wrote: >> In the last rules file I emailed to the list, I choose IDs in the 12200 >> range since the named rules were in the 12100 range. I've left the ipv4 >> rules for 2k3 and 2k8 in the 12200 range and put the 2k8 ipv6 rules in >> the 12300 range. > > This will be OK for testing, but you're probably better of using rule > IDs in the user range of 100,000-120,000 so that there aren't any > conflicts during an upgrade. When they get accepted into the project, > Daniel will assign a unique group of IDs. > >> Before I send the updated decoders and rules, I wanted to get a better >> understanding of the rule alert levels and rule groups. I've been >> looking over some of the documentation between the manual and the FAQs. >> I'm not sure that either of them are documented? I've also not been able >> to find valid "log types" to monitor. In my case, I just used syslog and >> it's working but I'm not sure if I should use something else? > > OSSEC Rule ID Groupings and Best Practices: > http://ossec.net/wiki/index.php/Know_How:RuleIDGrouping > > As to the log type, are the DHCP logs in the event log format? In that > case, you may want to try <type>windows</type>. > >> Where can I find out the alert level scale? Or, how should I assign >> alert levels to my rules? I've set all my rules to alert level 5 to start. > > This should help: http://ossec.net/wiki/index.php/Know_How:Rules_Severity > > In my experience, however, simply use this as a guide. If there is > something that warrants a larger or smaller severity then simply use > good judgment. > >> Are the rule groups predefined or can I use my own? I've used some of >> the groups that I've seen defined in other rules such as >> "service_availability" but I've gone on to define my own such as >> "dhcp_lease_action","dhcp_maintenance","dhcp_dns_maintenance" and >> "dhcp_rogue_server". > > You can make up your own groups, but try to use the pre-defined groups > where it makes sense. More info here: > http://ossec.net/wiki/index.php/Know_How:Rule_Groups > >> Where is a list of valid log types that you define on the agent's >> ossec.conf file when you tell it to monitor a log? > > You can use strftime or globbing in the log name definition, otherwise, > just feed it a log file and use the decoder as a guide for the log type. > One hint: single line ASCII log files can be defined as syslog even if > they aren't properly syslog-formatted. > > One final tip: use the local_decoder.xml file until this is accepted > into the project, because if you don't, you might lose all your work > during an upgrade! >
