On Tue, Sep 10, 2013 at 12:41 PM, frwa onto <[email protected]> wrote: > Dear Dan, > > 1. Ok about the rules I wont take it as a concern for now. > > 2. Ok now I am clear among both the logs. > > 3. Since you said that active response should react based on the logs rite > why do not want me to use it ? >
I never said you shouldn't use it, I just said it wasn't necessary. > 4. Brief can I say that ossec will be reading the log files and accordingly > it will react based on the logs. Can in react on files that are being > modified etc? > Agents get a checksum for files, and pass this checksum to the server in a log message. That log message is then analyzed, the checksum compared to the checksum in the db ,and if necessary an alert is created. Yes, AR can be triggered by files being modified. > Thank you. > > > On Wed, Sep 11, 2013 at 12:07 AM, dan (ddp) <[email protected]> wrote: >> >> On Tue, Sep 10, 2013 at 11:59 AM, frwa onto <[email protected]> wrote: >> > Dear Dan, >> > >> > 1. IS there any link on how to download and updates the latest rules. >> > Because how to update the installation(uninstall and reinstall ?) unless >> > it >> > installed via yum rite ? But in my case my .rpm is rebuild? >> > >> >> I don't know anything about the RPMs. Just replace the rules files >> with newer copies. The rules don't get updated very often right now, >> so it isn't a big concern. >> >> > 2. Ok I can see all the logs in the /var/ossec/logs/alerts have a rule >> > number. How about the one in /var/ossec/ossec.log what does this >> > represent >> > cause all the errors I post earlier was from this ossec.log. >> > >> >> Those are OSSEC logs. They are the logs from the OSSEC processes. >> >> > 3. I am trying to read from here on active-response >> > http://www.ossec.net/doc/syntax/head_ossec_config.active-response.html >> > actually what is it ? So you said dont need to use any specific reason >> > or >> > drawback of it? >> > >> >> I find it difficult to believe you've done any research into OSSEC if >> you don't know what active response is. >> >> It's the capability for OSSEC to automatically do things based on logs >> received. >> >> > Thank you. >> > >> > >> > On Tue, Sep 10, 2013 at 11:17 PM, dan (ddp) <[email protected]> wrote: >> >> >> >> On Tue, Sep 10, 2013 at 10:14 AM, frwa onto <[email protected]> wrote: >> >> > Dear DAn, >> >> > Sorry I will limit my question. >> >> > 1. How to manually update the rules? >> >> >> >> Either add your own to local_rules.xml, download the latest rules from >> >> the repository, or update your OSSEC installation. >> >> >> >> > 2. Here I dont see any rules.IT does not state what rule >> >> > >> >> >> >> Any entry in alerts.log is there because the log message triggered a >> >> rule. The rule id is mentioned in each entry. For example: >> >> ** Alert 1378572677.0: - syslog,sshd,authentication_success, >> >> 2013 Sep 08 00:51:17 capture->/var/log/secure >> >> Rule: 5715 (level 3) -> 'SSHD authentication success.' >> >> Src IP: 60.50.38.78 >> >> User: root >> >> Sep 8 00:51:17 capture sshd[11987]: Accepted password for root from >> >> **.**.**.78 port 3516 ssh2 >> >> >> >> The above alert was for rule 5715. If you look in >> >> /var/ossec/rules/sshd_rules.xml you should see rule 5715. >> >> >> >> >> >> >> 2013/08/31 15:12:15 ossec-logcollector: INFO: Started (pid: 5972). >> >> >> 2013/08/31 15:12:15 ossec-analysisd(1210): ERROR: Queue >> >> >> '/queue/alerts/ar' >> >> >> not accessible: 'Connection refused'. >> >> >> 2013/08/31 15:12:15 ossec-analysisd(1301): ERROR: Unable to connect >> >> >> to >> >> >> active response queue. >> >> > >> >> > Isnt active response a key for ossec? How to enable it and what is >> >> > does? >> >> > >> >> >> >> You don't have to use it. >> >> >> >> > Thank you very much. >> >> > >> >> > >> >> > >> >> > On Tuesday, September 10, 2013 9:12:09 PM UTC+8, dan (ddpbsd) wrote: >> >> >> >> >> >> On Sat, Sep 7, 2013 at 1:03 PM, frwa onto <[email protected]> wrote: >> >> >> > Dear Dan, >> >> >> > Yes I went into the ossec.log and saw like below. I >> >> >> > got >> >> >> > few >> >> >> > things to ask here first I saw it say 1229 total rules enabled. >> >> >> > Will >> >> >> > the >> >> >> > rules increase by itself or need manual intervention ? Why some >> >> >> > are >> >> >> > showing >> >> >> >> >> >> You will have to update the rules manually (for now). >> >> >> >> >> >> > as errors? Another error is this one Queue '/queue/alerts/ar' not >> >> >> >> >> >> What rules are showing up as errors? >> >> >> >> >> >> > accessible: 'Connection refused'.? >> >> >> >> >> >> Are you using active response? If not, ignore. >> >> >> >> >> >> > >> >> >> > >> >> >> > 2013/08/31 15:12:10 ossec-monitord: INFO: Started (pid: 5986). >> >> >> > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing >> >> >> > file: >> >> >> > '/var/log/messages'. >> >> >> > 2013/08/31 15:12:15 ossec-logcollector(1103): ERROR: Unable to >> >> >> > open >> >> >> > file >> >> >> > '/var/log/authlog'. >> >> >> > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing >> >> >> > file: >> >> >> > '/var/log/authlog'. >> >> >> > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing >> >> >> > file: >> >> >> > '/var/log/secure'. >> >> >> > 2013/08/31 15:12:15 ossec-logcollector(1103): ERROR: Unable to >> >> >> > open >> >> >> > file >> >> >> > '/var/log/xferlog'. >> >> >> > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing >> >> >> > file: >> >> >> > '/var/log/xferlog'. >> >> >> > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing >> >> >> > file: >> >> >> > '/var/log/maillog'. >> >> >> > 2013/08/31 15:12:15 ossec-logcollector(1103): ERROR: Unable to >> >> >> > open >> >> >> > file >> >> >> > '/var/www/logs/access_log'. >> >> >> > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing >> >> >> > file: >> >> >> > '/var/www/logs/access_log'. >> >> >> > 2013/08/31 15:12:15 ossec-logcollector(1103): ERROR: Unable to >> >> >> > open >> >> >> > file >> >> >> > '/var/www/logs/error_log'. >> >> >> > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing >> >> >> > file: >> >> >> > '/var/www/logs/error_log'. >> >> >> > 2013/08/31 15:12:15 ossec-logcollector: INFO: Started (pid: 5972). >> >> >> > 2013/08/31 15:12:15 ossec-analysisd(1210): ERROR: Queue >> >> >> > '/queue/alerts/ar' >> >> >> > not accessible: 'Connection refused'. >> >> >> > 2013/08/31 15:12:15 ossec-analysisd(1301): ERROR: Unable to >> >> >> > connect >> >> >> > to >> >> >> > active response queue. >> >> >> > 2013/08/31 15:12:15 ossec-analysisd: INFO: Connected to >> >> >> > '/queue/alerts/execq' (exec queue) >> >> >> > 2013/08/31 15:12:16 ossec-syscheckd: INFO: Started (pid: 5982). >> >> >> > 2013/08/31 15:12:16 ossec-rootcheck: INFO: Started (pid: 5982). >> >> >> > 2013/08/31 15:12:16 ossec-syscheckd: INFO: Monitoring directory: >> >> >> > '/etc'. >> >> >> > 2013/08/31 15:12:16 ossec-syscheckd: INFO: Monitoring directory: >> >> >> > '/usr/bin'. >> >> >> > 2013/08/31 15:12:16 ossec-syscheckd: INFO: Monitoring directory: >> >> >> > '/usr/sbin'. >> >> >> > 2013/08/31 15:12:16 ossec-syscheckd: INFO: Monitoring directory: >> >> >> > '/bin'. >> >> >> > 2013/08/31 15:12:16 ossec-syscheckd: INFO: Monitoring directory: >> >> >> > '/sbin'. >> >> >> > 2013/08/31 15:14:10 ossec-syscheckd: INFO: Starting syscheck scan >> >> >> > (forwarding database). >> >> >> > 2013/08/31 15:14:10 ossec-syscheckd: INFO: Starting syscheck >> >> >> > database >> >> >> > (pre-scan). >> >> >> > 2013/08/31 15:14:25 ossec-logcollector(1904): INFO: File not >> >> >> > available, >> >> >> > ignoring it: '/var/log/authlog'. >> >> >> > 2013/08/31 15:14:25 ossec-logcollector(1904): INFO: File not >> >> >> > available, >> >> >> > ignoring it: '/var/log/xferlog'. >> >> >> > 2013/08/31 15:14:25 ossec-logcollector(1904): INFO: File not >> >> >> > available, >> >> >> > ignoring it: '/var/www/logs/access_log'. >> >> >> > 2013/08/31 15:14:25 ossec-logcollector(1904): INFO: File not >> >> >> > available, >> >> >> > ignoring it: '/var/www/logs/error_log'. >> >> >> > 2013/08/31 15:20:13 ossec-testrule: INFO: Reading local decoder >> >> >> > file. >> >> >> > 2013/08/31 15:20:13 ossec-testrule: INFO: Started (pid: 6010). >> >> >> > 2013/08/31 15:20:14 ossec-remoted: INFO: Started (pid: 6064). >> >> >> > 2013/08/31 15:26:10 ossec-syscheckd: INFO: Finished creating >> >> >> > syscheck >> >> >> > database (pre-scan completed). >> >> >> > 2013/08/31 15:26:24 ossec-syscheckd: INFO: Ending syscheck scan >> >> >> > (forwarding >> >> >> > database). >> >> >> > 2013/08/31 15:27:04 ossec-rootcheck: INFO: Starting rootcheck >> >> >> > scan. >> >> >> > 2013/08/31 15:31:02 ossec-rootcheck: INFO: Ending rootcheck scan. >> >> >> > 2013/08/31 16:47:07 ossec-execd: INFO: Active response command not >> >> >> > present: >> >> >> > '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it >> >> >> > on >> >> >> > this >> >> >> > system. >> >> >> > 2013/09/01 00:00:30 ossec-monitord: No previous md5 checksum >> >> >> > found: >> >> >> > '/logs/archives/2013/Aug/ossec-archive-30.log.sum'. Starting over. >> >> >> > 2013/09/01 00:00:30 ossec-monitord: No previous sha1 checksum >> >> >> > found: >> >> >> > '/logs/archives/2013/Aug/ossec-archive-30.log.sum'. Starting over. >> >> >> > 2013/09/01 00:00:30 ossec-monitord: No previous md5 checksum >> >> >> > found: >> >> >> > '/logs/alerts/2013/Aug/ossec-alerts-30.log.sum'. Starting over. >> >> >> > 2013/09/01 00:00:30 ossec-monitord: No previous sha1 checksum >> >> >> > found: >> >> >> > '/logs/alerts/2013/Aug/ossec-alerts-30.log.sum'. Starting over. >> >> >> > 2013/09/01 00:00:30 ossec-monitord: No previous md5 checksum >> >> >> > found: >> >> >> > '/logs/firewall/2013/Aug/ossec-firewall-30.log.sum'. Starting >> >> >> > over. >> >> >> > 2013/09/01 00:00:30 ossec-monitord: No previous sha1 checksum >> >> >> > found: >> >> >> > '/logs/firewall/2013/Aug/ossec-firewall-30.log.sum'. Starting >> >> >> > over. >> >> >> > 2013/09/01 11:31:02 ossec-syscheckd: INFO: Starting syscheck scan. >> >> >> > 2013/09/01 11:43:25 ossec-syscheckd: INFO: Ending syscheck scan. >> >> >> > 2013/09/01 11:48:25 ossec-rootcheck: INFO: Starting rootcheck >> >> >> > scan. >> >> >> > 2013/09/01 11:51:57 ossec-rootcheck: INFO: Ending rootcheck scan. >> >> >> > 2013/09/01 21:29:43 ossec-monitord(1225): INFO: SIGNAL Received. >> >> >> > Exit >> >> >> > Cleaning... >> >> >> > 2013/09/01 21:29:43 ossec-logcollector(1225): INFO: SIGNAL >> >> >> > Received. >> >> >> > Exit >> >> >> > Cleaning... >> >> >> > 2013/09/01 21:29:43 ossec-syscheckd(1225): INFO: SIGNAL Received. >> >> >> > Exit >> >> >> > Cleaning... >> >> >> > 2013/09/01 21:29:43 ossec-analysisd(1225): INFO: SIGNAL Received. >> >> >> > Exit >> >> >> > Cleaning... >> >> >> > 2013/09/01 21:29:43 ossec-execd(1314): INFO: Shutdown received. >> >> >> > Deleting >> >> >> > responses. >> >> >> > 2013/09/01 21:29:43 ossec-execd(1225): INFO: SIGNAL Received. Exit >> >> >> > Cleaning... >> >> >> > 2013/09/01 21:32:07 ossec-testrule: INFO: Reading local decoder >> >> >> > file. >> >> >> > 2013/09/01 21:32:07 ossec-testrule: INFO: Started (pid: 1246). >> >> >> > 2013/09/01 21:32:08 DEBUG: I am creating the SQLite table. >> >> >> > 2013/09/01 21:32:08 ossec-execd: INFO: Started (pid: 1269). >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading local decoder >> >> >> > file. >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'rules_config.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'pam_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'sshd_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'telnetd_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'syslog_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'arpwatch_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'symantec-av_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'symantec-ws_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'pix_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'named_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'smbd_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'vsftpd_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'pure-ftpd_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'proftpd_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'ms_ftpd_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'ftpd_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'hordeimp_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'roundcube_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'wordpress_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'cimserver_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'vpopmail_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'vmpop3d_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'courier_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'web_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'web_appsec_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'apache_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'nginx_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'php_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'mysql_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'postgresql_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'ids_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'squid_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'firewall_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'cisco-ios_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'netscreenfw_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'sonicwall_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'postfix_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'sendmail_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'imapd_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'mailscanner_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'dovecot_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'ms-exchange_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'racoon_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'vpn_concentrator_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'spamd_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'msauth_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'mcafee_av_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'trend-osce_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'ms-se_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'zeus_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'solaris_bsm_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'vmware_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'ms_dhcp_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'asterisk_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'ossec_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'attack_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> >> > 'local_rules.xml' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Total rules enabled: >> >> >> > '1229' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: >> >> >> > '/etc/mtab' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: >> >> >> > '/etc/hosts.deny' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: >> >> >> > '/etc/mail/statistics' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: >> >> >> > '/etc/random-seed' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: >> >> >> > '/etc/adjtime' >> >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: >> >> >> > '/etc/httpd/logs' >> >> >> > >> >> >> > >> >> >> > 2013/09/01 21:32:14 ossec-logcollector(1950): INFO: Analyzing >> >> >> > file: >> >> >> > '/var/log/messages'. >> >> >> > 2013/09/01 21:32:14 ossec-logcollector(1103): ERROR: Unable to >> >> >> > open >> >> >> > file >> >> >> > '/var/log/authlog'. >> >> >> > 2013/09/01 21:32:14 ossec-logcollector(1950): INFO: Analyzing >> >> >> > file: >> >> >> > '/var/log/authlog'. >> >> >> > 2013/09/01 21:32:14 ossec-logcollector(1950): INFO: Analyzing >> >> >> > file: >> >> >> > '/var/log/secure'. >> >> >> > 2013/09/01 21:32:14 ossec-logcollector(1103): ERROR: Unable to >> >> >> > open >> >> >> > file >> >> >> > '/var/log/xferlog'. >> >> >> > 2013/09/01 21:32:14 ossec-logcollector(1950): INFO: Analyzing >> >> >> > file: >> >> >> > '/var/log/xferlog'. >> >> >> > 2013/09/01 21:32:14 ossec-logcollector(1950): INFO: Analyzing >> >> >> > file: >> >> >> > '/var/log/maillog'. >> >> >> > >> >> >> > 2013/09/01 21:32:14 ossec-analysisd(1210): ERROR: Queue >> >> >> > '/queue/alerts/ar' >> >> >> > not accessible: 'Connection refused'. >> >> >> > 2013/09/01 21:32:14 ossec-analysisd(1301): ERROR: Unable to >> >> >> > connect >> >> >> > to >> >> >> > active response queue. >> >> >> > >> >> >> > 2013/09/06 03:18:42 ossec-rootcheck: INFO: Starting rootcheck >> >> >> > scan. >> >> >> > 2013/09/06 03:22:50 ossec-rootcheck: INFO: Ending rootcheck scan. >> >> >> > 2013/09/06 16:33:13 ossec-testrule: INFO: Reading local decoder >> >> >> > file. >> >> >> > 2013/09/06 16:33:13 ossec-testrule: INFO: Started (pid: 10245). >> >> >> > 2013/09/06 16:33:31 ossec-testrule: INFO: Reading local decoder >> >> >> > file. >> >> >> > 2013/09/06 16:33:31 ossec-testrule: INFO: Started (pid: 10248). >> >> >> > 2013/09/06 16:34:01 ossec-testrule: INFO: Reading local decoder >> >> >> > file. >> >> >> > 2013/09/06 16:34:01 ossec-testrule: INFO: Started (pid: 10250). >> >> >> > 2013/09/06 23:17:50 ossec-syscheckd: INFO: Starting syscheck scan. >> >> >> > 2013/09/06 23:30:42 ossec-syscheckd: INFO: Ending syscheck scan. >> >> >> > 2013/09/06 23:35:42 ossec-rootcheck: INFO: Starting rootcheck >> >> >> > scan. >> >> >> > 2013/09/06 23:39:49 ossec-rootcheck: INFO: Ending rootcheck scan. >> >> >> > 2013/09/07 19:34:49 ossec-syscheckd: INFO: Starting syscheck scan. >> >> >> > 2013/09/07 19:47:41 ossec-syscheckd: INFO: Ending syscheck scan. >> >> >> > 2013/09/07 19:52:41 ossec-rootcheck: INFO: Starting rootcheck >> >> >> > scan. >> >> >> > 2013/09/07 19:56:47 ossec-rootcheck: INFO: Ending rootcheck scan. >> >> >> > >> >> >> > The rootcheck runs by itself is it automatically? >> >> >> > >> >> >> >> >> >> Looks like it. >> >> >> >> >> >> > >> >> >> > NExt I went into alerts.log. So will all this be alerted via >> >> >> > email >> >> >> > or >> >> >> > only >> >> >> > some alerts? >> >> >> > >> >> >> >> >> >> Some alerts will trigger emails, some will not. You can customize a >> >> >> lot >> >> >> of >> >> >> that. >> >> >> >> >> >> > Saw this. >> >> >> > >> >> >> > ** Alert 1378572677.0: - syslog,sshd,authentication_success, >> >> >> > 2013 Sep 08 00:51:17 capture->/var/log/secure >> >> >> > Rule: 5715 (level 3) -> 'SSHD authentication success.' >> >> >> > Src IP: 60.50.38.78 >> >> >> > User: root >> >> >> > Sep 8 00:51:17 capture sshd[11987]: Accepted password for root >> >> >> > from >> >> >> > **.**.**.78 port 3516 ssh2 >> >> >> > >> >> >> > ** Alert 1378572679.290: - pam,syslog,authentication_success, >> >> >> > 2013 Sep 08 00:51:19 capture->/var/log/secure >> >> >> > Rule: 5501 (level 3) -> 'Login session opened.' >> >> >> > Sep 8 00:51:17 capture sshd[11987]: pam_unix(sshd:session): >> >> >> > session >> >> >> > opened >> >> >> > for user root by (uid=0) >> >> >> > >> >> >> > ** Alert 1378572745.548: - syslog,sshd,authentication_success, >> >> >> > 2013 Sep 08 00:52:25 capture->/var/log/secure >> >> >> > Rule: 5715 (level 3) -> 'SSHD authentication success.' >> >> >> > Src IP: 60.50.38.78 >> >> >> > User: root >> >> >> > Sep 8 00:52:24 capture sshd[11985]: Accepted password for root >> >> >> > from >> >> >> > **.**.**.78 port 3512 ssh2 >> >> >> > >> >> >> > ** Alert 1378572745.840: - pam,syslog,authentication_success, >> >> >> > 2013 Sep 08 00:52:25 capture->/var/log/secure >> >> >> > Rule: 5501 (level 3) -> 'Login session opened.' >> >> >> > Sep 8 00:52:25 capture sshd[11985]: pam_unix(sshd:session): >> >> >> > session >> >> >> > opened >> >> >> > for user root by (uid=0) >> >> >> > >> >> >> > >> >> >> > Another thing this process zcat /var/log/*.gz | >> >> >> > /var/ossec/bin/ossec-logtest >> >> >> > basically what are we going to look out from here? >> >> >> > >> >> >> >> >> >> That will provide some alerts. In fact, the "-a" flag to >> >> >> ossec-logtest >> >> >> should provide alerts very similar to what is in alerts.log. >> >> >> >> >> >> Other than that, this question is too broad for me to answer. >> >> >> >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > On Friday, September 6, 2013 11:14:40 PM UTC+8, dan (ddpbsd) >> >> >> > wrote: >> >> >> >> >> >> >> >> On Fri, Sep 6, 2013 at 4:51 AM, frwa onto <[email protected]> >> >> >> >> wrote: >> >> >> >> > Dear Dan, >> >> >> >> > I know your option you gave is just for single >> >> >> >> > file. >> >> >> >> > I >> >> >> >> > Want to >> >> >> >> > do the whole of /var/log how to go about with that which I >> >> >> >> > think >> >> >> >> > that >> >> >> >> > is >> >> >> >> > what ossec-logtest does right. >> >> >> >> > I know neither of this does now work.. >> >> >> >> > cat /var/log | /var/ossec/bin/ossec-logtest > >> >> >> >> > /usr/local/ossetest.txt >> >> >> >> > 2>&1 >> >> >> >> > cat: /var/log: Is a directory >> >> >> >> > [root@capture var]# zcat /var/log | >> >> >> >> > /var/ossec/bin/ossec-logtest >> >> >> >> > > >> >> >> >> > /usr/local/ossetest.txt 2>&1 >> >> >> >> > gzip: /var/log is a directory -- ignored >> >> >> >> > >> >> >> >> >> >> >> >> You're running this on a linux or unix-like system, use the tools >> >> >> >> available. >> >> >> >> zcat /var/log/*.gz | /var/ossec/bin/ossec-logtest >> >> >> >> >> >> >> >> >> >> >> >> > How to confirm that syscheck is running. Normally where and >> >> >> >> > what >> >> >> >> > are >> >> >> >> > the >> >> >> >> > logfiles of ossec for us to to view or look?. Thank you. Sorry >> >> >> >> > very >> >> >> >> > new >> >> >> >> > to >> >> >> >> > this tool. >> >> >> >> > >> >> >> >> >> >> >> >> /var/ossec/logs/ossec.log contains information like when syscheck >> >> >> >> runs. >> >> >> >> /var/ossec/logs/alerts/alerts.log has alert information. >> >> >> >> >> >> >> >> >> >> >> >> > On Thursday, September 5, 2013 9:25:13 PM UTC+8, dan (ddpbsd) >> >> >> >> > wrote: >> >> >> >> >> >> >> >> >> >> On Wed, Sep 4, 2013 at 1:54 PM, frwa onto <[email protected]> >> >> >> >> >> wrote: >> >> >> >> >> > Dear Dan, >> >> >> >> >> > For ossec-logtest I just ran like this >> >> >> >> >> > ./ossec-logtest? >> >> >> >> >> > How >> >> >> >> >> >> >> >> >> >> The easiest way is to pipe the log file through logtest: >> >> >> >> >> cat /path/to/logfile | /var/ossec/bin/ossec-logtest >> >> >> >> >> >> >> >> >> >> Use zcat if the logfile is compressed. If you want to redirect >> >> >> >> >> the >> >> >> >> >> output to a file, use this: >> >> >> >> >> cat /path/to/logfile | /var/ossec/bin/ossec-logtest > >> >> >> >> >> /path/to/file >> >> >> >> >> 2>&1 >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> > about the syscheck how to run it? What will both of this >> >> >> >> >> > script >> >> >> >> >> > eventually >> >> >> >> >> >> >> >> >> >> By default, syscheck will run when OSSEC starts. >> >> >> >> >> >> >> >> >> >> > be doing? Do I need to run the rootcheck ? >> >> >> >> >> > >> >> >> >> >> >> >> >> >> >> Same as syscheck I believe. >> >> >> >> >> >> >> >> >> >> > On Wednesday, September 4, 2013 9:38:07 PM UTC+8, dan >> >> >> >> >> > (ddpbsd) >> >> >> >> >> > wrote: >> >> >> >> >> >> >> >> >> >> >> >> On Tue, Sep 3, 2013 at 12:36 AM, frwa onto >> >> >> >> >> >> <[email protected]> >> >> >> >> >> >> wrote: >> >> >> >> >> >> > Hi All, >> >> >> >> >> >> > I just rebuild and install ossec on my centos 6.4 >> >> >> >> >> >> > machine. >> >> >> >> >> >> > So >> >> >> >> >> >> > what >> >> >> >> >> >> > is the next step be done as this is any existing machine >> >> >> >> >> >> > and >> >> >> >> >> >> > I >> >> >> >> >> >> > want >> >> >> >> >> >> > to >> >> >> >> >> >> > check >> >> >> >> >> >> > for any previous intrusion? I also want to get alerts on >> >> >> >> >> >> > updates >> >> >> >> >> >> > on >> >> >> >> >> >> > my >> >> >> >> >> >> > local >> >> >> >> >> >> > files or any new files created? I am sorry very new to >> >> >> >> >> >> > it. >> >> >> >> >> >> > >> >> >> >> >> >> >> >> >> >> >> >> You can use ossec-logtest to check old log files, and >> >> >> >> >> >> syscheck >> >> >> >> >> >> has a >> >> >> >> >> >> default configuration that can cover most needs. If you >> >> >> >> >> >> have >> >> >> >> >> >> custom >> >> >> >> >> >> locations that must be monitored, you should add them to >> >> >> >> >> >> the >> >> >> >> >> >> ossec.conf in the syscheck section. >> >> >> >> >> >> >> >> >> >> >> >> > -- >> >> >> >> >> >> > >> >> >> >> >> >> > --- >> >> >> >> >> >> > You received this message because you are subscribed to >> >> >> >> >> >> > the >> >> >> >> >> >> > Google >> >> >> >> >> >> > Groups >> >> >> >> >> >> > "ossec-list" group. >> >> >> >> >> >> > To unsubscribe from this group and stop receiving emails >> >> >> >> >> >> > from >> >> >> >> >> >> > it, >> >> >> >> >> >> > send >> >> >> >> >> >> > an >> >> >> >> >> >> > email to [email protected]. >> >> >> >> >> >> > For more options, visit >> >> >> >> >> >> > https://groups.google.com/groups/opt_out. >> >> >> >> >> > >> >> >> >> >> > -- >> >> >> >> >> > >> >> >> >> >> > --- >> >> >> >> >> > You received this message because you are subscribed to the >> >> >> >> >> > Google >> >> >> >> >> > Groups >> >> >> >> >> > "ossec-list" group. >> >> >> >> >> > To unsubscribe from this group and stop receiving emails >> >> >> >> >> > from >> >> >> >> >> > it, >> >> >> >> >> > send >> >> >> >> >> > an >> >> >> >> >> > email to [email protected]. >> >> >> >> >> > For more options, visit >> >> >> >> >> > https://groups.google.com/groups/opt_out. >> >> >> >> > >> >> >> >> > -- >> >> >> >> > >> >> >> >> > --- >> >> >> >> > You received this message because you are subscribed to the >> >> >> >> > Google >> >> >> >> > Groups >> >> >> >> > "ossec-list" group. >> >> >> >> > To unsubscribe from this group and stop receiving emails from >> >> >> >> > it, >> >> >> >> > send >> >> >> >> > an >> >> >> >> > email to [email protected]. >> >> >> >> > For more options, visit >> >> >> >> > https://groups.google.com/groups/opt_out. >> >> >> > >> >> >> > -- >> >> >> > >> >> >> > --- >> >> >> > You received this message because you are subscribed to the Google >> >> >> > Groups >> >> >> > "ossec-list" group. >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> > send >> >> >> > an >> >> >> > email to [email protected]. >> >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to a topic in the >> >> Google Groups "ossec-list" group. >> >> To unsubscribe from this topic, visit >> >> https://groups.google.com/d/topic/ossec-list/n0-gBzCdh3M/unsubscribe. >> >> To unsubscribe from this group and all its topics, send an email to >> >> [email protected]. >> >> >> >> For more options, visit https://groups.google.com/groups/opt_out. >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/n0-gBzCdh3M/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
