Hello, I'm very new to OSSEC and consider it as an IDS/logwatcher for an Internet FTP-server of mine. I already installed it in a Debian6 virtual machine to get it to know. Installation is very straight forward and without complications. But there are several points that are still a bit blurry to me. Perhaps you can enlighten me.
1. Is there an option I can set to enable active_response but not actually block the attacker? Some kind of file or log with messages like: "OSSEC would have added the IP 123.123.123.123 to your iptables/host.deny". I would like this to see before enabling it and potentially block a customer. 2. Reading the OSSEC log files is available via file and webUI (which is buggy I now know). After reading the archive of this mailinglist (last 20 threads or so) I get the impression that I have to install another tool to browse the OSSEC logs. As I plan to install OSSEC to do the logreading for me and just giving me a summary of what happened I do not plan to investigate another tool that is doing what OSSEC should do in the first place (read: what I expect of it to do). Is there a preferred way to use OSSEC? Some Best-practice tips? 3. Speaking of the webUI. I find it very disturbing that it is still listed at the OSSEC download page (and hosted on ossec.net) and not the least marked as deprecated or not supported. There seem to be several patches in the archives but nowhere else. last note: the first steps with OSSEC page should be updated because some links are not working anymore ( I would liked to have seen a video tutorial or some more first-steps documentation. Regards Christian on a sidenote: I currently use logcheck and logwatch but lacking an IDS (lots of HTTP and SSH errors due to scanning and brute force password guessing)
