On Tue, Aug 13, 2013 at 2:16 AM, vtrack <[email protected]> wrote: > Thanks for your reply. We do not intend to use OSSEC for checking core > failures like hardware, drive failures etc.. but especially use for > Operating system integrity checks, and alerts for any malicious activities. > From what you mentioned, looks like I need to add specific rules to enable > such alerts. I would take a look at the rules, syntax etc to get this > running on our systems. Please let me know if you have any pointers. > > Thanks again. >
My biggest piece of advice is to install OSSEC and test your logs against it. > > On Monday, August 12, 2013 9:38:18 PM UTC+5:30, David Blanton wrote: >> >> Your alerting system is something only you and your management team can >> decide on. If you wish to get an e-mail/text on all of the above, go for it. >> >> Our team took a more minimalist approach, only getting alerts on critical >> errors: hardware failure, attacks, malware, critical logs to our production >> network, et al so we can take >> immediate action. >> >> Everything below alert level 2, does not get logged because of the >> 'Unknown problem in the system' rule (very helpful). Root su, opened >> sessions, closed sessions, successful >> ssh's do not get fired in our deployment because it is something that is >> redundant and makes parsing through the logs more tedious. >> >> If you could give us an idea of what your network does, we could give you >> a better idea of what you could have OSSEC look for. If it's a general >> network at work, I would look into >> monitoring disk space, firewalls, malware, and unsuccessful sudo's to >> su/root sessions. You will notice that there are tens of thousands of rules >> in OSSEC that can be >> used to fire an alert, and it has the capability to do so much. >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
