The logall option will save the logs in /var/ossec/logs/archives/ (after restarting the server of course). There probably aren't any default rules for these logs, so you may have to write your own. You should be able to forward the syslog data to a system that is listening for syslog messages so that ossec can get to the logs.
On Mon, May 10, 2010 at 9:41 AM, Muraleedaran Kanapathy <[email protected]> wrote: > > Dear Daniel > > > > Thanks a lot for the reply. > > > > Yes I have made it as <logall> to yes but still I am not getting any logs in > the alerts. > > > > For the CISCO and other Network devices can we get the syslog data to the > OSSEC.. > > > > Best regards, > > > > Muraleedaran Kanapathy| Linux/Unix System Engineer - ISS Department > > Voice +966(1) 2888136 | Fax +966(1) 288-8899 ext 1422 > Integrated Networks | Faisaliah Tower | Level 7A | > > PO Box 53553, Riyadh 11593, KSA | GMT +3 | > > Email [email protected] > > Disclaimer: This electronic mail message contains information that (a) is or > may be LEGALLY PRIVILEGED, CONFIDENTIAL, ROPRIETARY IN NATURE, OR OTHERWISE > PROTECTED BY LAW FROM DISCLOSURE, and (b) is intended only for the use of the > Addressee(s) named herein. If you are not the intended recipient, an > addressee, or the person responsible for delivering this to an addressee, you > are hereby notified that reading, using, copying, or distributing any part of > this message is strictly prohibited. If you have received this electronic > mail message in error, please contact us immediately and take the steps > necessary to delete the message completely from your computer system. Unless > explicitly attributed, the opinions expressed in this message do not > necessarily represent the official position or opinions of Integrated > Networks LLC., whilst all care has been taken, Integrated Networks LLC. > disclaims all liability for loss or damage to person or property arising from > this message being infected by computer virus or any type of contamination. > > > > ________________________________ > > From: [email protected] [mailto:[email protected]] On > Behalf Of Daniel Cid > Sent: Monday, May 10, 2010 4:30 PM > To: [email protected] > Subject: Re: [ossec-list] ossec for log analysis > > > > Hi, > > OSSEC by default will only generate alerts on events that have potential > security > value. Most events from the "System" and "Application" event log are just > informational > and OSSEC will not store them. > > If you need to have all of them stored, go to your ossec.conf (on the manager) > and set <logall> to "yes". Everything will be then logged at the archives.log > > *You also mentioned Cisco logs. What kind of Cisco logs are those? > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > > On Sat, May 8, 2010 at 1:06 PM, Muraleedaran Kanapathy > <[email protected]> wrote: > > > > Dear Sirs > > > > We are in the process of installing the OSSEC for the log analyzing purposes > for the PCI DSS requirement > > > > In windows I have installed the OSSEC agent, but I am unable to see any > Windows event logs such Application, System, except for the Security logs ( > Including CISCO logs) > > > > How can I search these logs via ossec web interface > > > > > > Muraleedaran Kanapathy| Linux/Unix System Engineer - ISS Department > > Voice +966(1) 2888136 | Fax +966(1) 288-8899 ext 1422 > Integrated Networks | Faisaliah Tower | Level 7A | > > PO Box 53553, Riyadh 11593, KSA | GMT +3 | > > Email [email protected] > > Disclaimer: This electronic mail message contains information that (a) is or > may be LEGALLY PRIVILEGED, CONFIDENTIAL, ROPRIETARY IN NATURE, OR OTHERWISE > PROTECTED BY LAW FROM DISCLOSURE, and (b) is intended only for the use of the > Addressee(s) named herein. If you are not the intended recipient, an > addressee, or the person responsible for delivering this to an addressee, you > are hereby notified that reading, using, copying, or distributing any part of > this message is strictly prohibited. If you have received this electronic > mail message in error, please contact us immediately and take the steps > necessary to delete the message completely from your computer system. Unless > explicitly attributed, the opinions expressed in this message do not > necessarily represent the official position or opinions of Integrated > Networks LLC., whilst all care has been taken, Integrated Networks LLC. > disclaims all liability for loss or damage to person or property arising from > this message being infected by computer virus or any type of contamination. > > > >
