Hi, I have the exact same deployment scenario (ossec running off a syslog-ng centralized log) and requirement. i.e. to identify if some servers/devices stop logging.
Ossec does not support this by default, but I'm thinking of using the active-response feature to do this. What I *plan* to do is - 1. Setup a rule that will fire an alert on every log 2. Setup an active response command that will get invoked for every log message. The command will pass the 'srcip' to a daemon process (which has to be developed). 3. The daemon process will keep a track of srcips and will generate an alert if a source stops logging for a certain amount of time. The downside to this is that there will be a performance hit since ossec is firing an alert on every log message. I don't know how much of a performance hit this will be, but OSSEC currently exceeds my required EPS by a factor of 2, so I know I have some room to play with. On Wed, Dec 15, 2010 at 5:30 AM, NewRules <[email protected]> wrote: > Hi, > > I'm using ossec as a log corellator. > For log centralization I'm using syslog-ng (for formatting features), > thus im'not using ossec agents for log collection. > > I wanna know if there is any option to set an alert when no logs or an > unusual amount of log from a certain host is noticed. > > The problem I've been through is that after servers reboot, syslog-ng > agents did not restart for some reason and thus they were not sending > logs anymore. Ossec did not warned me about it. > > How is it possible to set this kind of alert ? > > Thanks,
