Dan :
My conf file is attached
Thank you so much for extending your helping hand.
On Wed, Jun 29, 2011 at 12:19 AM, dan (ddp) <[email protected]> wrote:
> On Tue, Jun 28, 2011 at 2:33 PM, SystemAli <[email protected]> wrote:
> > Yes,
> > the first one is an Apache format, DO i need to change the LOG_FORMAT for
> > this ? if yes, then what ?
>
> <log_format>apache</log_format>
>
> > And yes. there were additional "</ossec_config>" in the file which i have
> > removed, But yet get the same error :(
> > than you once again
> >
>
> There's either an extra </ossec_config> still in the file, or the
> "<ossec_config" in the message you sent is causing the breakage.
> Feel free to send me the ossec.conf, I can try to read it for you.
>
> > On Tue, Jun 28, 2011 at 11:48 PM, dan (ddp) <[email protected]> wrote:
> >>
> >> Hi SystemAli,
> >>
> >> On Tue, Jun 28, 2011 at 2:10 PM, SystemAli <[email protected]> wrote:
> >> > Chris :
> >> > I edited the ossec.conf and added these container in it :-
> >> > <localfile>
> >> > <log_format>syslog</log_format>
> >> > <location>/usr/local/apache/logs/access_log</location>
> >> > </localfile>
> >>
> >> This is probably in the apache format
> >>
> >> > </ossec_config>
> >>
> >> This </ossec_config> tag seems to be in the wrong place.
> >>
> >> > <localfile>
> >> > <log_format>syslog</log_format>
> >> > <location>/usr/local/cpanel/logs/access_log</location>
> >> > </localfile>
> >>
> >> I haven't seen it, but I'm guessing this will also be in the apache
> >> format.
> >> Have you ever looked at the logs?
> >>
> >> > But when i restart ossec i get this error :-
> >> > /var/ossec/bin/ossec-control start
> >> > Starting OSSEC HIDS v2.5.1 (by Trend Micro Inc.)...
> >> > 2011/06/28 23:39:58 ossec-execd(1226): ERROR: Error reading XML file
> >> > '/var/ossec/etc/ossec.conf': XML ERR: Element not closed:
> <ossec_config
> >> > (line 68).
> >> > Can you suggest how to resolve this ?
> >> >
> >>
> >> Look at line 68 or above. Look for a line that says "<ossec_config"
> >> Or, check for an <ossec_config> without an </ossec_config>.
> >>
> >> Anything in a <> will need a corresponding </>.
> >
> >
> >
> > --
> > "Want to be a leader? Wash the Dishes When Nobody Else Will"
> >
>
--
"Want to be a leader? Wash the Dishes When Nobody Else
Will<http://thesash.me/wash-the-dishes-when-nobody-else-will>
"
<ossec_config>
<client>
<server-ip>10.1.1.219</server-ip>
</client>
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>79200</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- Windows files to ignore -->
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
<ignore>C:\WINDOWS/Debug</ignore>
<ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
<ignore>C:\WINDOWS/iis6.log</ignore>
<ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
<ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
<ignore>C:\WINDOWS/Prefetch</ignore>
<ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution</ignore>
<ignore>C:\WINDOWS/Temp</ignore>
<ignore>C:\WINDOWS/system32/config</ignore>
<ignore>C:\WINDOWS/system32/spool</ignore>
<ignore>C:\WINDOWS/system32/CatRoot</ignore>
</syscheck>
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
</rootcheck>
<!-- Files to monitor (localfiles) -->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/maillog</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/usr/local/apache/logs/access_log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/usr/local/cpanel/logs/access_log</location>
</localfile>
<</ossec_config>
