Hi, On Thu, Jan 6, 2011 at 7:56 PM, Saket <[email protected]> wrote: > I was able to successfully get the active-responses.log to alert via > syslog > > Here is my log : Thu Jan 6 16:18:29 EST 2011 /var/ossec/active- > response/bin/host-deny.sh add - 192.100.229.132 1294348709.10093 570 > > I am trying to understand what each of these fields mean > > Action: /var/ossec/active-response/bin/host-deny.sh add > SourceIP: 192.100.229.132 > > Whats 1294348709.10093 and 5706 ??
Timestamp and Rule ID. > > I wrote a decoder under decoder.xml and rule under local_rule.xml > You should put the decoder in local_decoder.xml so it doesn't get overwritten during an upgrade. > I have some questions: > > 1. I had defined the order action,srcip,extra_data but they dont show > up in the alerts.log > They're in the log message, they won't be broken out in the alerts.log file. > 2. I defined a custom rule under local_rule.xml but, I am not sure > what ID to give there. How do I find out which Rule ID is not used? > http://www.ossec.net/wiki/Know_How:RuleIDGrouping Start with 100000. > I am trying to identify each log uniquely by its rule id so I need to > make sure I give a unique rule id to this custom rule. > > Please advice. > > Thanks, > Saket > > On Jan 6, 11:55 am, "loyd. darby" <[email protected]> wrote: >> You also need to make sure your active response works without ossec. >> If it won't work manually, it won't work as a script. >> >> On 01/05/2011 02:51 PM, dan wrote: >> >> >> >> > On Wed, Jan 05, 2011 at 11:06:29AM -0800, Saket wrote: >> >> Indeed ! >> >> >> But, there is a feature to follow local files. Like how we follow /var/ >> >> log/message and /var/log/secure in linux and >> >> winEvtlog from Windows, can we follow ossec.log and active- >> >> responses.log as a localfile aswell, ideally it should log every >> >> change in these to files to the alert.log >> >> >> It clearly says analyzing ossec.log and active-responses.log in the >> >> ossec.log but it doesnt seem to work. >> >> >> Please Advice. >> >> >> Thanks, >> >> Saket >> >> > You would need to create rules for the log messages. If there isn't a >> > rule that matches, an alert will not fire. >> > dan >> >> >> On Jan 5, 6:44?am, "[email protected]"<[email protected]> wrote: >> >>> Alerts.log only gets alerts. The syslog client in ossec only sends >> >>> alerts. Not all log messages will get forwarded from the manager to an >> >>> external syslog server. >> >> >>> -----Original Message----- >> >>> From: Saket >> >>> Sent: ?01/04/2011 6:49:57 PM >> >>> Subject: ?[ossec-list] Consolidating ossec.log and active-responses.log >> >>> into alert.log and exporting it to a syslog server >> >> >>> Hi, >> >> >>> I am trying to consolidate the active-responses.log and the ossec.log >> >>> using the workaround provided in the thread. I have configured a >> >>> syslog export of logs. So as of now all the alerts.log is being >> >>> exported to the syslog server. But for some reason the other files are >> >>> not being sent. >> >> >>> I have included the following in the ossec.conf file: >> >> >>> <syslog_output> >> >>> <server>x.x.x.x</server> >> >>> <syslog_output> >> >> >>> <localfile> >> >>> <location>/var/ossec/logs/ossec.log</location> >> >>> <log_format>syslog</log_format> >> >>> </localfile> >> >> >>> <localfile> >> >>> <location>/var/ossec/logs/active-responses.log</location> >> >>> <log_format>syslog</log_format> >> >>> </localfile> >> >> >>> I checked the ossec.log file and it clearly says: >> >> >>> Analysing File: '/var/ossec/logs/active-responses.log' and >> >>> ?'/var/ossec/logs/ossec.log' >> >> >>> But, whatever is being written to these 2 files are not being exported >> >>> or written to the alerts.log. >> >> >>> Is there anything wrong in my configuration or am I missing something >> >>> here? >> >> >>> Please advice. >> >> >>> Thanks, >> >>> Saket >> >> -- >> R. Loyd Darby, OSSIM-OCSE >> Project Manager DOC/NOAA/NMFS >> Infrastructure coordinator >> Southeast Fisheries Science Center >> 305-361-4297
