I was able to successfully get the active-responses.log to alert via syslog
Here is my log : Thu Jan 6 16:18:29 EST 2011 /var/ossec/active- response/bin/host-deny.sh add - 192.100.229.132 1294348709.10093 570 I am trying to understand what each of these fields mean Action: /var/ossec/active-response/bin/host-deny.sh add SourceIP: 192.100.229.132 Whats 1294348709.10093 and 5706 ?? I wrote a decoder under decoder.xml and rule under local_rule.xml I have some questions: 1. I had defined the order action,srcip,extra_data but they dont show up in the alerts.log 2. I defined a custom rule under local_rule.xml but, I am not sure what ID to give there. How do I find out which Rule ID is not used? I am trying to identify each log uniquely by its rule id so I need to make sure I give a unique rule id to this custom rule. Please advice. Thanks, Saket On Jan 6, 11:55 am, "loyd. darby" <[email protected]> wrote: > You also need to make sure your active response works without ossec. > If it won't work manually, it won't work as a script. > > On 01/05/2011 02:51 PM, dan wrote: > > > > > On Wed, Jan 05, 2011 at 11:06:29AM -0800, Saket wrote: > >> Indeed ! > > >> But, there is a feature to follow local files. Like how we follow /var/ > >> log/message and /var/log/secure in linux and > >> winEvtlog from Windows, can we follow ossec.log and active- > >> responses.log as a localfile aswell, ideally it should log every > >> change in these to files to the alert.log > > >> It clearly says analyzing ossec.log and active-responses.log in the > >> ossec.log but it doesnt seem to work. > > >> Please Advice. > > >> Thanks, > >> Saket > > > You would need to create rules for the log messages. If there isn't a > > rule that matches, an alert will not fire. > > dan > > >> On Jan 5, 6:44?am, "[email protected]"<[email protected]> wrote: > >>> Alerts.log only gets alerts. The syslog client in ossec only sends > >>> alerts. Not all log messages will get forwarded from the manager to an > >>> external syslog server. > > >>> -----Original Message----- > >>> From: Saket > >>> Sent: ?01/04/2011 6:49:57 PM > >>> Subject: ?[ossec-list] Consolidating ossec.log and active-responses.log > >>> into alert.log and exporting it to a syslog server > > >>> Hi, > > >>> I am trying to consolidate the active-responses.log and the ossec.log > >>> using the workaround provided in the thread. I have configured a > >>> syslog export of logs. So as of now all the alerts.log is being > >>> exported to the syslog server. But for some reason the other files are > >>> not being sent. > > >>> I have included the following in the ossec.conf file: > > >>> <syslog_output> > >>> <server>x.x.x.x</server> > >>> <syslog_output> > > >>> <localfile> > >>> <location>/var/ossec/logs/ossec.log</location> > >>> <log_format>syslog</log_format> > >>> </localfile> > > >>> <localfile> > >>> <location>/var/ossec/logs/active-responses.log</location> > >>> <log_format>syslog</log_format> > >>> </localfile> > > >>> I checked the ossec.log file and it clearly says: > > >>> Analysing File: '/var/ossec/logs/active-responses.log' and > >>> ?'/var/ossec/logs/ossec.log' > > >>> But, whatever is being written to these 2 files are not being exported > >>> or written to the alerts.log. > > >>> Is there anything wrong in my configuration or am I missing something > >>> here? > > >>> Please advice. > > >>> Thanks, > >>> Saket > > -- > R. Loyd Darby, OSSIM-OCSE > Project Manager DOC/NOAA/NMFS > Infrastructure coordinator > Southeast Fisheries Science Center > 305-361-4297
