Hi James, The installation routine probably does an intricate dance to determine what logfiles are on the system. In syslog-logs.template (https://bitbucket.org/dcid/ossec-hids/src/43e8b41a8195/etc/templates/config/syslog-logs.template) there is a list of logfiles that may be on the system. I'd grep around the source tree for syslog-logs.template to see if the contents are used to help determine the logfiles on the system. It'd be easy to write a quick wrapper script to do the checking. Heck, you could even run the script using OSSEC and make sure there aren't any new logfiles (full_command option). There are obvious limitations to this. The biggest limitation being that the script will only find logfiles it knows about, and if someone installs a service in an odd place the script won't pick it up. dan
On Sat, Feb 19, 2011 at 2:14 PM, James Ford <[email protected]> wrote: > Jeremy...I could be completely wrong as I've come into this installation > halfway completed and left for dead. The person who originally did it said > he never did any customization yet none of the installs match. Some are > monitoring Apache, Asterisk, Radius...etc....while others are just > monitoring basic log files, messages, secure, maillog...It seems to follow > suit that if that service wasn't installed at the time of the OSSEC initial > install the file wasn't monitored. So this is why I believe there are > variances between the basic installed systems. > > I haven't actually taken the time to actually try to confirm this on two > different devices unfortunately, but it is just theory based on the fact > that the initial installs were all just default with no customization. Once > again, I could be completely wrong, and the previous guy could have made > some changes and forgot. > > On Sat, Feb 19, 2011 at 8:49 AM, Jeremy Lee <[email protected]> wrote: >> >> I think I understand what you're trying to do: basically have OSSEC detect >> and start monitoring log files of an application(s) that was added without >> your knowledge? I don't think OSSEC 'scans' for log files upon installation. >> The localfile logs added are default entries (I may be wrong on this but >> that was my understanding). >> >> I'm not sure if there is an out-of-the-box way to do this with OSSEC. I'm >> thinking it *might* be possible, for example, with the file integrity >> monitoring, since FIM will alert you when files are added. But then you >> would have to write a script that would actually add the log file to the >> ossec.conf file. Otherwise, you could just write a script yourself that runs >> every X mins/hours, looking for log files, and if new logs are found add >> them to ossec.conf and restart OSSEC. I would imagine this still being >> difficult to accomplish, however, if you don't know the name of the log(s) >> and are just looking for *any* generic log message. >> >> On Sat, Feb 19, 2011 at 1:11 AM, James Ford <[email protected]> wrote: >>> >>> So I noticed in a new install that the files are automatically chosen for >>> localfile log analysis based on currently existing logs...at least that what >>> appears to be the case. If that is the case is there a way to re-run this >>> scan? I've tried reinstalling and that didn't do it. The reason I ask this >>> is there are sometimes new services added to our servers that we are not >>> made aware of. As an example Apache was loaded on one of our servers that >>> is running an OSSEC Agent but we were not aware of it. If it had existed >>> when I originally installed OSSEC it would have configured those log files >>> to be monitored. Since it was after the fact and I was unaware it was added >>> it is unfortunately not. I know you can manually add them to the agent file >>> but for the services added that we're not aware of that may not happen right >>> away. >>> >>> What I'm curious about is whether or not you can run the scan again to >>> look for the local files and automatically update the ossec.conf file on the >>> agent to now monitor those files as well. If so, then I can just create a >>> cron job to perform that scan every evening and I'll never be missing the >>> logs for new services that OSSEC monitors by default. >>> >>> It's late and I hope I made this question make sense....Thanks in advance >>> for any input or assistance! >> > >
