Le 31/05/2012 12:15, [email protected] a écrit :
Hi all
Currently considering an Ossec deployment, could I please check my
understanding of the following;
Ossec alerts - can be logged to syslog, file, database and sent as emails.
Original log lines received from agents - can be logged to archive.log file with the
"logall" directive for retention (doesn't cause these to be added to a
configured db and they don't appear to be sent to syslog either should this be enabled,
presuming these aren't options?).
And a slightly off topic question if I may.
I'd be interested in hearing what others are doing with regards log retention /
enabling rich searching of the archive log, having taken a quick look at elsa
as an example this appears to import everything as ossec-archive which doesn't
appear ideal for utilising the search functions.
It would be plausible in our case to actually junk a good portion of what's in
the archive (ossec keepalives, log lines considered irrelevant for retention)
but I'm not sure exactly where to begin (regex not being a strong point) and am
wondering what others have done who have used the archive as a basis for log
retention.
Not answering all your concerns but...
As you said, with the logall switch, all logs from clients are logged
into archive logs.
(http://www.ossec.net/doc/syntax/head_ossec_config.global.html#options)
Alerts logs are just decoded archives logs that triggers alerts with
level >= log_alert_level -- assuming you have some decoders and rules
(ossec ships with default ones).
I don't use DB support and I only keep 13 month of archives logs files
on disk (PCI-DSS). I don't keep alerts logs as they are redundant with
archives, and ~5 times heavier because of the decoded overhead.
I think you should not remove things from archives logs as they'll loose
their purpose and the tool will be considered as limited/compromised.
As for the "rich searching of archives" it can be dangerous if anyone
can read everything because archives contains all logs of everything
everywhere and it can be very long because archives files can quickly
become huge.
ps: also, ossec-wui has a Search tab.
--
Cheers,
Florian Crouzat
