Great news. Mine is still alerting too. Feel free to email me directly if you run into more problems. I'm only getting the digest of this group.
On May 12, 9:15 am, "Derek J. Morris" <[email protected]> wrote: > Update: > > By adding all the days DHCP log files into my ossec.conf file on the Win2003 > DHCP server we use worked, I now see the monitoring of the logs. Note: Restart > Ossec service, then DHCP Service, then Ossec service again. Will keep my eye > on > it to make sure it still works ok after few days. > > -Derek > > > > > phish phreek wrote: > >> In the last rules file I emailed to the list, I choose IDs in the 12200 > >> range since the named rules were in the 12100 range. I've left the ipv4 > >> rules for 2k3 and 2k8 in the 12200 range and put the 2k8 ipv6 rules in > >> the 12300 range. > > > This will be OK for testing, but you're probably better of using rule > > IDs in the user range of 100,000-120,000 so that there aren't any > > conflicts during an upgrade. When they get accepted into the project, > > Daniel will assign a unique group of IDs. > > >> Before I send the updated decoders and rules, I wanted to get a better > >> understanding of the rule alert levels and rule groups. I've been > >> looking over some of the documentation between the manual and the FAQs. > >> I'm not sure that either of them are documented? I've also not been able > >> to find valid "log types" to monitor. In my case, I just used syslog and > >> it's working but I'm not sure if I should use something else? > > > OSSEC Rule ID Groupings and Best Practices: > >http://ossec.net/wiki/index.php/Know_How:RuleIDGrouping > > > As to the log type, are the DHCP logs in the event log format? In that > > case, you may want to try <type>windows</type>. > > >> Where can I find out the alert level scale? Or, how should I assign > >> alert levels to my rules? I've set all my rules to alert level 5 to start. > > > This should help:http://ossec.net/wiki/index.php/Know_How:Rules_Severity > > > In my experience, however, simply use this as a guide. If there is > > something that warrants a larger or smaller severity then simply use > > good judgment. > > >> Are the rule groups predefined or can I use my own? I've used some of > >> the groups that I've seen defined in other rules such as > >> "service_availability" but I've gone on to define my own such as > >> "dhcp_lease_action","dhcp_maintenance","dhcp_dns_maintenance" and > >> "dhcp_rogue_server". > > > You can make up your own groups, but try to use the pre-defined groups > > where it makes sense. More info here: > >http://ossec.net/wiki/index.php/Know_How:Rule_Groups > > >> Where is a list of valid log types that you define on the agent's > >> ossec.conf file when you tell it to monitor a log? > > > You can use strftime or globbing in the log name definition, otherwise, > > just feed it a log file and use the decoder as a guide for the log type. > > One hint: single line ASCII log files can be defined as syslog even if > > they aren't properly syslog-formatted. > > > One final tip: use the local_decoder.xml file until this is accepted > > into the project, because if you don't, you might lose all your work > > during an upgrade!
