Look at /var/log/message - (this is the syslog format) and compare it to the logs you want to monitor. I'll explain this below -
OSSEC uses the log format for pre-decoding and the decoder xml for decoding the log. What this means is that in order for OSSEC to read the logs, it needs to know what format the data is coming in. When you specify "syslog" format, OSSEC expects the log to be a single line log, with the format <date time> <hostname> <application/process name> <... other log data> If your logs do not follow the first 3 fields mentioned above, then you need to use another log format. Once the log is in syslog format, OSSEC needs to have a "decoder" that can read the rest of the log message. The decoder is picked up based on the "application/process name". E.g. if it is ftp, the ftp decoder will be picked up. I suggest you read the following presentation by Michael Starks. It'll save you a lot of time, trying to figure things out. http://www.immutablesecurity.com/index.php/2009/11/30/ossec-presentation-available/ On Tue, Jun 28, 2011 at 1:50 PM, SystemAli <[email protected]> wrote: > Chris : > > When you say format is this what you mean :- /var/log/dmesg OR /var/log/btmp > etc etc...These are the kind of files i intent to record... > > Is there something that i m missing ? > > On Tue, Jun 28, 2011 at 11:03 PM, Christopher Moraes < > [email protected]> wrote: > >> Yes. assuming the format of your new file is also "syslog" >> >> >> On Tue, Jun 28, 2011 at 1:26 PM, SystemAli <[email protected]> wrote: >> >>> So, That means if i need to add additional files to be monitored, all i >>> need to do is , Edit the *ossec.conf* on the agent by replace the * >>> LOCATION* tab with the location of the log file that i need to monitor >>> ? ...correct ? >>> >>> >>> <localfile> >>> <log_format>syslog</log_format> >>> *<location>/var/log/maillog</location>* >>> </localfile> >>> >>> Please clarify >>> >>> Thank you >>> >>> >>> >>> On Mon, Jun 27, 2011 at 6:36 PM, Christopher Moraes < >>> [email protected]> wrote: >>> >>>> >>>> On Sat, Jun 25, 2011 at 1:45 PM, SystemAli <[email protected]> wrote: >>>> >>>>> Dan: >>>>> >>>>> that means all the logs to be monitored have to be entered in the agent >>>>> in the following location :-/var/ossec/etc/ossec.conf ? >>>>> >>>>> >>>> On the agent, there are 2 config files that are read in the following >>>> order - >>>> 1. /var/ossec/etc/ossec.conf and >>>> 2. /var/ossec/etc/shared/agent.conf >>>> >>>> The agent first reads the ossec.conf file and then tries to read the >>>> agent.conf file (if it exits). Log files specified in ossec.conf and >>>> agent.conf will be monitored. If you are making changes for a specific >>>> agent, make your changes in ossec.conf and not agent.conf, as agent.conf >>>> gets overwritten by the manager. >>>> >>>> >>>> >>> >>> >>> -- >>> "Want to be a leader? Wash the Dishes When Nobody Else >>> Will<http://thesash.me/wash-the-dishes-when-nobody-else-will> >>> " >>> >> >> > > > -- > "Want to be a leader? Wash the Dishes When Nobody Else > Will<http://thesash.me/wash-the-dishes-when-nobody-else-will> > " >
