Yo, Karan - think I get what you're asking, so let me give it a go. OSSEC comes with most of the rules you will ever need - probably will take a month or two before you need to write any rules of your own. The fact that you see logs means the rules are working. The thing to recognize is that OSSEC isn't a reporting tool, its a log analyzer that can take action based on events - the most common action being to send an email on suspicious events. So don't think of it as a reporting tool, but rather a tool that will alert you in real time for multiple failed logins (for example). If you just install OSSEC (no email alerts, no GUI, no database output) then all you will see are growing logs and nothing else.
Having said that, there are still some very useful stats that can be reported - the first thing to do is install the GUI. From the GUI, you can do things like run a failed login report for any given time period, check integrity stats, etc. Not a pretty report, but I certainly find it to be good enough. There is also a command line reporting tool, some docs here: http://www.ossec.net/dcid/?p=153 You can also enable database output and write your own queries. But, once again, start with the GUI and see if it does what you need. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of karan Sent: Monday, January 04, 2010 7:10 AM To: ossec-list Subject: [ossec-list] Re: Pls help to me Dear Dave, Thank you very much for your reply. i fully read the ossec articles, whatever y mention. Again i face the problem. How to create new rule for our environment. Ossec output log size is very high. and every seconds we received more logs. My request is how to separate logs like user name, date,time category, windows security, and description,etc for report purpose Awaiting for your favorable reply with regards Kirubakaran.K India On Jan 1, 8:17 pm, Dave S <[email protected]> wrote: > Karan, > This discussion group isn't for teaching. > If you have a specific problem or issue, then bring it here, but first > you have to try finding your own answers. > > There's lots of documentation you can check out to find your answers. > > There's theOSSECManual athttp://www.ossec.net/main/manual/ > And the FAQ is a great place to get started http://www.ossec.net/main/manual/manual-faq/ > TheOSSECWiki has articles on specific problems http://www.ossec.net/wiki/OSSEC > > And there's a real good book onOSSECavailable on Amazon.com.http://www.amazon.com/OSSEC-Host-Based-Intrusion-Detection-Guide/ dp/1... > > Start reading! > -Dave > > On Dec 31 2009, 6:09 am, karan <[email protected]> wrote: > > > Dear Sir, > > Am newly installedOSSECin our organization,I dont > > know hoe to createRulesfor our our environment. Pls kindly help to > > me basic knowledge ofOssectools > > > Awaiting for your reply > > > with warm regards > > Kirubakaran.K
