OSSEC would be better utilized moving forward as a preventative/defensive (or as an alerting type of setup), rather than as a post-analysis/forensics tool.
You may want to consider using Splunk or something like Deep Log Analyzer (or just manually investigate the logs yourself) to try to figure out what happened. Is this Apache, IIS, or something else? You should definitely be looking at the logs to see if you can spot anything weird off the bat IMHO. On Sun, Jul 10, 2011 at 1:18 PM, brian <[email protected]>wrote: > Is it possible to use OSSEC to evaluate the log files from a server I > don't have root access to? I'm helping a friend with a web site that > was hacked and I'm trying to use OSSEC to find where the hacker got > in. My hope is to download the logs and give them to OSSEC. I'm > running vista and have centos running in vmware. > > I found the post 'Installation and use without root access' but I can > edit the etc dir.
