Hi All,
I'm trying to find out if ossec can be used for my needs. Certain standards
that need to be adhered to mean using great software like ossec for log parsing
is a must.
However the biggest thing is that I cannot have logs missed and go un-noticed,
therefore my plan is to send all logs to a central rsyslog host and have
rsyslog outputting to text files (because ossec can't read direct from a
database?) but also to a database (to use something like LogAnaliser or
Logzilla).
The major thing here is really that the logging mechanism cannot miss anything,
so if a log entry isn't known to ossec currently I understand it basically
won't be alerted on because it won't match a rule or decoder, this just isn't
good enough to be able to meet standards I want to set. Therefore i'd like to
know if its possible to catch all if no decoder is matched and alert to the
logs that don't match a decoder... but the same goes for rules in a respective
decoder level and if the rules aren't matched for that decoder again an alert
is to be sent so that the admin can look at the log message and then make
corrective changes to stop the log message being alerted or to create an
appropriate rule.
Thanks All
