RE: [ossec-list] RE: ossec for log analysis

[Max Williams]

Hi Muraleedaran,
I use syslog-ng running on CentOS, its an excellent syslog daemon with very 
advanced options. I think if I was to do it again I would use rsyslog which is 
very similar to syslog-ng, it will be used in RHEL 6. I also use winlogd on 
windows hosts. I use OSSEC for file integrity checking, log parsing and 
alerting. I also run the rootkit detection feature. I really like it because it 
can parse snort logs too.

With OSSEC and snort you can cover points 10.5.5, 10.6, 11.4 and 11.5 of the 
PCI DSS on both Linux and Windows!

Not sure what you mean by syslog viewer? I just use standard Linux text file 
reader tools like less/cat/more/nano etc.

I have config files I have customised for CentOS/RHEL and also Windows 2008 R2, 
if you want a copy, let me know

Best Regards,
Max Williams

From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On 
Behalf Of Muraleedaran Kanapathy
Sent: 10 May 2010 14:59
To: ossec-list@googlegroups.com
Subject: RE: [ossec-list] RE: ossec for log analysis

Hi Max

Thanks a lot for the reply

May I know what did you   use to collect the logs from network devices? (Router 
and switches)

And OSSEC did you use it only for File Integrity check, if so what is the 
syslog and syslog viewer you implemented


Kindly advice

Muraleedaran Kanapathy| Linux/Unix System  Engineer -  ISS Department
Voice +966(1) 2888136 | Fax +966(1) 288-8899 ext 1422
Integrated Networks | Faisaliah Tower | Level 7A |
PO Box 53553, Riyadh 11593, KSA | GMT +3 |
Email muralee.kanapa...@inet.net.sa<mailto:muralee.kanapa...@inet.net.sa>


[cid:image001.jpg@01CAF0F0.11EBE510]


Disclaimer: This electronic mail message contains information that (a) is or 
may be LEGALLY PRIVILEGED, CONFIDENTIAL, ROPRIETARY IN NATURE, OR OTHERWISE 
PROTECTED BY LAW FROM DISCLOSURE, and (b) is intended only for the use of the 
Addressee(s) named herein. If you are not the intended recipient, an addressee, 
or the person responsible for delivering this to an addressee, you are hereby 
notified that reading, using, copying, or distributing any part of this message 
is strictly prohibited. If you have received this electronic mail message in 
error, please contact us immediately and take the steps necessary to delete the 
message completely from your computer system. Unless explicitly attributed, the 
opinions expressed in this message do not necessarily represent the official 
position or opinions of Integrated Networks LLC., whilst all care has been 
taken, Integrated Networks LLC. disclaims all liability for loss or damage to 
person or property arising from this message being infected by computer virus 
or any type of contamination.


________________________________
From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On 
Behalf Of Max Williams
Sent: Monday, May 10, 2010 3:57 PM
To: 'ossec-list@googlegroups.com'
Subject: [ossec-list] RE: ossec for log analysis


Hi Muraleedaran,

You cannot browse all windows events from the web interface, you can only view 
Windows Events that have been triggered by a rule to generate an alert. Take a 
look in this file on the ossec server:

<osse_path>/rules/msauth_rules.xml

You could write your own rule to generate alerts for other events.

If you wish to browse all events for many hosts you could use Windows Event 
Collector or use winlogd to send events to a syslog server (which is what we do 
for PCI DSS)

Cheers,

Max



From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On 
Behalf Of Muraleedaran Kanapathy
Sent: 08 May 2010 17:07
To: ossec-l...@ossec.net
Subject: [ossec-list] ossec for log analysis





Dear Sirs



We are in the process of installing the OSSEC for the log analyzing purposes 
for the PCI DSS requirement



In windows I have installed the OSSEC agent, but I am unable to see any Windows 
event logs such Application, System, except for the Security logs ( Including 
CISCO logs)



How can I search these logs via ossec web interface




Muraleedaran Kanapathy| Linux/Unix System  Engineer -  ISS Department
Voice +966(1) 2888136 | Fax +966(1) 288-8899 ext 1422
Integrated Networks | Faisaliah Tower | Level 7A |
PO Box 53553, Riyadh 11593, KSA | GMT +3 |
Email muralee.kanapa...@inet.net.sa<mailto:muralee.kanapa...@inet.net.sa>


[cid:image001.jpg@01CAF0F0.11EBE510]


Disclaimer: This electronic mail message contains information that (a) is or 
may be LEGALLY PRIVILEGED, CONFIDENTIAL, ROPRIETARY IN NATURE, OR OTHERWISE 
PROTECTED BY LAW FROM DISCLOSURE, and (b) is intended only for the use of the 
Addressee(s) named herein. If you are not the intended recipient, an addressee, 
or the person responsible for delivering this to an addressee, you are hereby 
notified that reading, using, copying, or distributing any part of this message 
is strictly prohibited. If you have received this electronic mail message in 
error, please contact us immediately and take the steps necessary to delete the 
message completely from your computer system. Unless explicitly attributed, the 
opinions expressed in this message do not necessarily represent the official 
position or opinions of Integrated Networks LLC., whilst all care has been 
taken, Integrated Networks LLC. disclaims all liability for loss or damage to 
person or property arising from this message being infected by computer virus 
or any type of contamination.

<<inline: image001.jpg>>