Try putting a <logall>yes</logall>
within the <global>...</global> section of the ossec.conf of your server then restart. All log entries forwarded by the agents should then be stored in the /var/ossec/logs/archives subdirectory. Of course you have to make sure that the agents configuration includes the desired logfiles. Kind regards, Oscar On Aug 18, 11:20 am, Mark F <[email protected]> wrote: > Hi All, > > I'm trying to find out if ossec can be used for my needs. Certain standards > that need to be adhered to mean using great software like ossec for log > parsing is a must. > > However the biggest thing is that I cannot have logs missed and go > un-noticed, therefore my plan is to send all logs to a central rsyslog host > and have rsyslog outputting to text files (because ossec can't read direct > from a database?) but also to a database (to use something like LogAnaliser > or Logzilla). > > The major thing here is really that the logging mechanism cannot miss > anything, so if a log entry isn't known to ossec currently I understand it > basically won't be alerted on because it won't match a rule or decoder, this > just isn't good enough to be able to meet standards I want to set. Therefore > i'd like to know if its possible to catch all if no decoder is matched and > alert to the logs that don't match a decoder... but the same goes for rules > in a respective decoder level and if the rules aren't matched for that > decoder again an alert is to be sent so that the admin can look at the log > message and then make corrective changes to stop the log message being > alerted or to create an appropriate rule. > > Thanks All
