On Tue, Oct 19, 2010 at 9:10 PM, Vitor Correia <[email protected]> wrote: > Hello everyone, > > I have as apache server with an ssl-only site with restrictions on who > can browse it by means of digital certificates. Meaning that ir order > to browse the secure site one would need to have a x509 certificate > issued by the our office CA. > I use OSSEC in all of our servers and I'd like to know if with OSSEC I > can monitor access_ssl_log entries and know the time, ip and which > certificate was used to login? > > Any pointers on how to create a rule for this would be greatly appreciated. > > Thanks. > > -- > VĂtor Correia > [email protected] | www.vitorcorreia.info >
I'm guessing Apache would log those transactions in the same format it logs non-ssl transactions, so it should be possible. <localfile> <log_format>apache</log_format> <location>/path/to/log/file</location> </localfile> Then you'd have to look at the logs to see what you want to create rules for, and write the rules. Rule syntax: http://www.ossec.net/doc/syntax/head_rules.html More info: http://www.ossec.net/doc/manual/rules-decoders/index.html
