Hey guys,
I was wondering if you guys could help me out with some questions I have
regarding OSSEC...
Q1. Even though I've changed 'maild.groupping=1' to 'maild.groupping=0' in the
configuration file "internal_options.conf" and
restarted OSSEC, I keep getting grouped events via e-mail. Any ideas what I'm
missing? In my opinion, alerts should be sent out
(emailed) and logged one-by-one and not 'bulk' because we'll lose the plot
sooner or later
Q2. Is there a reason why not every single alert is not written in the Database
[MySQL] and/or written in the logs? I thought that
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>3</email_alert_level>
</alerts>
,actually means 'log everything with alert level 1 and above and notify via
e-mail for everything with alert level 3 and above'! Am
I missing something?
Q3. Is there a way in order to import alerts/logs from OSSEC log/alert files
into its Database? Because of poor administration on
my-behalf (hey, I'm not a Linux/OSSEC/MySQL Guru, sorry), a lot of logs/alerts
are in log-format and not inside the Database and I
was wondering if there's a tool or something I could do, in order to get those
events (import them) in the Database
Q4. Regarding the Database Structure, is there documentation available so as to
be able to create our Custom Reports in MySQL, or
even better, export the data in our Datawarehouse System and create the Custom
Reports over there? I mean, how are the links working
inside the DB and how is the information organized/categorized inside the DB,
so as to know which table(s) contains which piece of
information I could combine in order to come up with a report?
More questions to come :-)
Your help is very much appreciated guys because I'm on the verge of losing my
mind in the effort of trying to 'make' the OSSEC
installation we have to suite our Enterprise.
Dimitris
