im using the syslog output of snort, so /var/log/syslog. and yes ossec is watching there. they are snort alert, so some think like that: snort[1705]: (snort_decoder) WARNING: Nmap XMAS Attack Detected I have try the ossec-testlog, but is not showing any thing. I have read some think that maybe i will have to create some ossec rules to mache with this, but im not sure how to do that.
2012/12/13 dan (ddp) <[email protected]> > On Wed, Dec 12, 2012 at 1:56 PM, Leonardo Pezente <[email protected]> > wrote: > > im a noob in ossec, but i think it was a good idea to have in my nids > > machine. > > he is aready running, and now i want to him to send an e-mail of possible > > problem, of he and my nids(snort) detect, but i dont have idea how to do > > that. > > i have snort send alerts to my syslog, and i put the syscheck in 1 hour. > > i have create an e-mail just for that, and i have change the global for > send > > e-mail. > > So, he will send e-mail every 0ne hour or i have to make more some think? > > Where is the snort syslog logging to? Is OSSEC watching that location? > What do the logs look like? Have you tried feeding them through > ossec-logtest? >
