Muraleedaran Kanapathy wrote: > What I meant is how to view the syslogs collected and to search it as > below > > > > - Which user logged in Router A > > - What are the commands the user have typed in Router A > > > > OR can we achieve this using OSSEC, if so can you guide me with an example > > > > OR do we have to use a separate log parsing tool
I use OSSEC in a few different environments in different ways. Most recently, I have been using OSSEC as the collector for secure and unsecure (syslog) logs and using syslog-ng for filesystem-level storage. What I do is enable <logall>yes</logall> in ossec.conf, then point syslog-ng to the archive.log. Syslog-ng then breaks the messages apart, reformats them as rfc-compliant syslog, and stores them by hostname and log source name. I have a few quirks to work out yet but when I am mostly happy with it, I will write some blog posts on how to do it. The nice thing about this is that you can bolt on any syslog front-end you want: logzilla, Splunk, whatever. As long as they understand syslog, it should work with these logs. And this way you get *all* logs that OSSEC receives (even encrypted), which are available for archival and searching, and not just alerts. -- Michael Starks [I] Immutable Security http://www.immutablesecurity.com
