Thank you so much Chris, I'll go through it right away.
On Wed, Jun 29, 2011 at 12:05 AM, Christopher Moraes <[email protected]>wrote: > Look at /var/log/message - (this is the syslog format) and compare it to > the logs you want to monitor. I'll explain this below - > > OSSEC uses the log format for pre-decoding and the decoder xml for decoding > the log. What this means is that in order for OSSEC to read the logs, it > needs to know what format the data is coming in. When you specify "syslog" > format, OSSEC expects the log to be a single line log, with the format > <date time> <hostname> <application/process name> <... other log data> > > If your logs do not follow the first 3 fields mentioned above, then you > need to use another log format. Once the log is in syslog format, OSSEC > needs to have a "decoder" that can read the rest of the log message. The > decoder is picked up based on the "application/process name". E.g. if it > is ftp, the ftp decoder will be picked up. > > I suggest you read the following presentation by Michael Starks. It'll > save you a lot of time, trying to figure things out. > > http://www.immutablesecurity.com/index.php/2009/11/30/ossec-presentation-available/ > > > > On Tue, Jun 28, 2011 at 1:50 PM, SystemAli <[email protected]> wrote: > >> Chris : >> >> When you say format is this what you mean :- /var/log/dmesg OR /var/log/btmp >> etc etc...These are the kind of files i intent to record... >> >> Is there something that i m missing ? >> >> On Tue, Jun 28, 2011 at 11:03 PM, Christopher Moraes < >> [email protected]> wrote: >> >>> Yes. assuming the format of your new file is also "syslog" >>> >>> >>> On Tue, Jun 28, 2011 at 1:26 PM, SystemAli <[email protected]> wrote: >>> >>>> So, That means if i need to add additional files to be monitored, all i >>>> need to do is , Edit the *ossec.conf* on the agent by replace the * >>>> LOCATION* tab with the location of the log file that i need to monitor >>>> ? ...correct ? >>>> >>>> >>>> <localfile> >>>> <log_format>syslog</log_format> >>>> *<location>/var/log/maillog</location>* >>>> </localfile> >>>> >>>> Please clarify >>>> >>>> Thank you >>>> >>>> >>>> >>>> On Mon, Jun 27, 2011 at 6:36 PM, Christopher Moraes < >>>> [email protected]> wrote: >>>> >>>>> >>>>> On Sat, Jun 25, 2011 at 1:45 PM, SystemAli <[email protected]>wrote: >>>>> >>>>>> Dan: >>>>>> >>>>>> that means all the logs to be monitored have to be entered in the >>>>>> agent in the following location :-/var/ossec/etc/ossec.conf ? >>>>>> >>>>>> >>>>> On the agent, there are 2 config files that are read in the following >>>>> order - >>>>> 1. /var/ossec/etc/ossec.conf and >>>>> 2. /var/ossec/etc/shared/agent.conf >>>>> >>>>> The agent first reads the ossec.conf file and then tries to read the >>>>> agent.conf file (if it exits). Log files specified in ossec.conf and >>>>> agent.conf will be monitored. If you are making changes for a specific >>>>> agent, make your changes in ossec.conf and not agent.conf, as agent.conf >>>>> gets overwritten by the manager. >>>>> >>>>> >>>>> >>>> >>>> >>>> -- >>>> "Want to be a leader? Wash the Dishes When Nobody Else >>>> Will<http://thesash.me/wash-the-dishes-when-nobody-else-will> >>>> " >>>> >>> >>> >> >> >> -- >> "Want to be a leader? Wash the Dishes When Nobody Else >> Will<http://thesash.me/wash-the-dishes-when-nobody-else-will> >> " >> > > -- "Want to be a leader? Wash the Dishes When Nobody Else Will<http://thesash.me/wash-the-dishes-when-nobody-else-will> "
