Dan :

My conf file is attached

Thank you so much for extending your helping hand.


On Wed, Jun 29, 2011 at 12:19 AM, dan (ddp) <[email protected]> wrote:

> On Tue, Jun 28, 2011 at 2:33 PM, SystemAli <[email protected]> wrote:
> > Yes,
> > the first one is an Apache format, DO i need to change the LOG_FORMAT for
> > this ? if yes, then what ?
>
> <log_format>apache</log_format>
>
> > And yes. there were additional "</ossec_config>" in the file which i have
> > removed, But yet get the same error :(
> > than you once again
> >
>
> There's either an extra </ossec_config> still in the file, or the
> "<ossec_config" in the message you sent is causing the breakage.
> Feel free to send me the ossec.conf, I can try to read it for you.
>
> > On Tue, Jun 28, 2011 at 11:48 PM, dan (ddp) <[email protected]> wrote:
> >>
> >> Hi SystemAli,
> >>
> >> On Tue, Jun 28, 2011 at 2:10 PM, SystemAli <[email protected]> wrote:
> >> > Chris :
> >> > I edited the ossec.conf and added these container in it :-
> >> >  <localfile>
> >> >     <log_format>syslog</log_format>
> >> >     <location>/usr/local/apache/logs/access_log</location>
> >> >   </localfile>
> >>
> >> This is probably in the apache format
> >>
> >> > </ossec_config>
> >>
> >> This </ossec_config> tag seems to be in the wrong place.
> >>
> >> >   <localfile>
> >> >     <log_format>syslog</log_format>
> >> >     <location>/usr/local/cpanel/logs/access_log</location>
> >> >   </localfile>
> >>
> >> I haven't seen it, but I'm guessing this will also be in the apache
> >> format.
> >> Have you ever looked at the logs?
> >>
> >> > But when i restart ossec i get this error :-
> >> > /var/ossec/bin/ossec-control start
> >> > Starting OSSEC HIDS v2.5.1 (by Trend Micro Inc.)...
> >> > 2011/06/28 23:39:58 ossec-execd(1226): ERROR: Error reading XML file
> >> > '/var/ossec/etc/ossec.conf': XML ERR: Element not closed:
> <ossec_config
> >> > (line 68).
> >> > Can you suggest how to resolve  this ?
> >> >
> >>
> >> Look at line 68 or above. Look for a line that says "<ossec_config"
> >> Or, check for an <ossec_config> without an </ossec_config>.
> >>
> >> Anything in a <> will need a corresponding </>.
> >
> >
> >
> > --
> > "Want to be a leader? Wash the Dishes When Nobody Else Will"
> >
>



-- 
"Want to be a leader? Wash the Dishes When Nobody Else
Will<http://thesash.me/wash-the-dishes-when-nobody-else-will>
"
<ossec_config>
  <client>
    <server-ip>10.1.1.219</server-ip>
  </client>

  <syscheck>
    <!-- Frequency that syscheck is executed - default to every 22 hours -->
    <frequency>79200</frequency>

    <!-- Directories to check  (perform all possible verifications) -->
    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories check_all="yes">/bin,/sbin</directories>

    <!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/mnttab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
    <ignore>/etc/utmpx</ignore>
    <ignore>/etc/wtmpx</ignore>
    <ignore>/etc/cups/certs</ignore>
    <ignore>/etc/dumpdates</ignore>
    <ignore>/etc/svc/volatile</ignore>

    <!-- Windows files to ignore -->
    <ignore>C:\WINDOWS/System32/LogFiles</ignore>
    <ignore>C:\WINDOWS/Debug</ignore>
    <ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
    <ignore>C:\WINDOWS/iis6.log</ignore>
    <ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
    <ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
    <ignore>C:\WINDOWS/Prefetch</ignore>
    <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
    <ignore>C:\WINDOWS/SoftwareDistribution</ignore>
    <ignore>C:\WINDOWS/Temp</ignore>
    <ignore>C:\WINDOWS/system32/config</ignore>
    <ignore>C:\WINDOWS/system32/spool</ignore>
    <ignore>C:\WINDOWS/system32/CatRoot</ignore>
  </syscheck>

  <rootcheck>
    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
    <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
    <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
    <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
    <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
  </rootcheck>
  <!-- Files to monitor (localfiles) -->                           

 <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/messages</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/secure</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/maillog</location>
  </localfile>

 <localfile>
    <log_format>apache</log_format>
    <location>/usr/local/apache/logs/access_log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/usr/local/cpanel/logs/access_log</location>
  </localfile>
<</ossec_config>                                    

Reply via email to