On Tue, Sep 10, 2013 at 11:59 AM, frwa onto <[email protected]> wrote: > Dear Dan, > > 1. IS there any link on how to download and updates the latest rules. > Because how to update the installation(uninstall and reinstall ?) unless it > installed via yum rite ? But in my case my .rpm is rebuild? >
I don't know anything about the RPMs. Just replace the rules files with newer copies. The rules don't get updated very often right now, so it isn't a big concern. > 2. Ok I can see all the logs in the /var/ossec/logs/alerts have a rule > number. How about the one in /var/ossec/ossec.log what does this represent > cause all the errors I post earlier was from this ossec.log. > Those are OSSEC logs. They are the logs from the OSSEC processes. > 3. I am trying to read from here on active-response > http://www.ossec.net/doc/syntax/head_ossec_config.active-response.html > actually what is it ? So you said dont need to use any specific reason or > drawback of it? > I find it difficult to believe you've done any research into OSSEC if you don't know what active response is. It's the capability for OSSEC to automatically do things based on logs received. > Thank you. > > > On Tue, Sep 10, 2013 at 11:17 PM, dan (ddp) <[email protected]> wrote: >> >> On Tue, Sep 10, 2013 at 10:14 AM, frwa onto <[email protected]> wrote: >> > Dear DAn, >> > Sorry I will limit my question. >> > 1. How to manually update the rules? >> >> Either add your own to local_rules.xml, download the latest rules from >> the repository, or update your OSSEC installation. >> >> > 2. Here I dont see any rules.IT does not state what rule >> > >> >> Any entry in alerts.log is there because the log message triggered a >> rule. The rule id is mentioned in each entry. For example: >> ** Alert 1378572677.0: - syslog,sshd,authentication_success, >> 2013 Sep 08 00:51:17 capture->/var/log/secure >> Rule: 5715 (level 3) -> 'SSHD authentication success.' >> Src IP: 60.50.38.78 >> User: root >> Sep 8 00:51:17 capture sshd[11987]: Accepted password for root from >> **.**.**.78 port 3516 ssh2 >> >> The above alert was for rule 5715. If you look in >> /var/ossec/rules/sshd_rules.xml you should see rule 5715. >> >> >> >> 2013/08/31 15:12:15 ossec-logcollector: INFO: Started (pid: 5972). >> >> 2013/08/31 15:12:15 ossec-analysisd(1210): ERROR: Queue >> >> '/queue/alerts/ar' >> >> not accessible: 'Connection refused'. >> >> 2013/08/31 15:12:15 ossec-analysisd(1301): ERROR: Unable to connect to >> >> active response queue. >> > >> > Isnt active response a key for ossec? How to enable it and what is does? >> > >> >> You don't have to use it. >> >> > Thank you very much. >> > >> > >> > >> > On Tuesday, September 10, 2013 9:12:09 PM UTC+8, dan (ddpbsd) wrote: >> >> >> >> On Sat, Sep 7, 2013 at 1:03 PM, frwa onto <[email protected]> wrote: >> >> > Dear Dan, >> >> > Yes I went into the ossec.log and saw like below. I got >> >> > few >> >> > things to ask here first I saw it say 1229 total rules enabled. Will >> >> > the >> >> > rules increase by itself or need manual intervention ? Why some are >> >> > showing >> >> >> >> You will have to update the rules manually (for now). >> >> >> >> > as errors? Another error is this one Queue '/queue/alerts/ar' not >> >> >> >> What rules are showing up as errors? >> >> >> >> > accessible: 'Connection refused'.? >> >> >> >> Are you using active response? If not, ignore. >> >> >> >> > >> >> > >> >> > 2013/08/31 15:12:10 ossec-monitord: INFO: Started (pid: 5986). >> >> > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing file: >> >> > '/var/log/messages'. >> >> > 2013/08/31 15:12:15 ossec-logcollector(1103): ERROR: Unable to open >> >> > file >> >> > '/var/log/authlog'. >> >> > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing file: >> >> > '/var/log/authlog'. >> >> > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing file: >> >> > '/var/log/secure'. >> >> > 2013/08/31 15:12:15 ossec-logcollector(1103): ERROR: Unable to open >> >> > file >> >> > '/var/log/xferlog'. >> >> > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing file: >> >> > '/var/log/xferlog'. >> >> > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing file: >> >> > '/var/log/maillog'. >> >> > 2013/08/31 15:12:15 ossec-logcollector(1103): ERROR: Unable to open >> >> > file >> >> > '/var/www/logs/access_log'. >> >> > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing file: >> >> > '/var/www/logs/access_log'. >> >> > 2013/08/31 15:12:15 ossec-logcollector(1103): ERROR: Unable to open >> >> > file >> >> > '/var/www/logs/error_log'. >> >> > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing file: >> >> > '/var/www/logs/error_log'. >> >> > 2013/08/31 15:12:15 ossec-logcollector: INFO: Started (pid: 5972). >> >> > 2013/08/31 15:12:15 ossec-analysisd(1210): ERROR: Queue >> >> > '/queue/alerts/ar' >> >> > not accessible: 'Connection refused'. >> >> > 2013/08/31 15:12:15 ossec-analysisd(1301): ERROR: Unable to connect >> >> > to >> >> > active response queue. >> >> > 2013/08/31 15:12:15 ossec-analysisd: INFO: Connected to >> >> > '/queue/alerts/execq' (exec queue) >> >> > 2013/08/31 15:12:16 ossec-syscheckd: INFO: Started (pid: 5982). >> >> > 2013/08/31 15:12:16 ossec-rootcheck: INFO: Started (pid: 5982). >> >> > 2013/08/31 15:12:16 ossec-syscheckd: INFO: Monitoring directory: >> >> > '/etc'. >> >> > 2013/08/31 15:12:16 ossec-syscheckd: INFO: Monitoring directory: >> >> > '/usr/bin'. >> >> > 2013/08/31 15:12:16 ossec-syscheckd: INFO: Monitoring directory: >> >> > '/usr/sbin'. >> >> > 2013/08/31 15:12:16 ossec-syscheckd: INFO: Monitoring directory: >> >> > '/bin'. >> >> > 2013/08/31 15:12:16 ossec-syscheckd: INFO: Monitoring directory: >> >> > '/sbin'. >> >> > 2013/08/31 15:14:10 ossec-syscheckd: INFO: Starting syscheck scan >> >> > (forwarding database). >> >> > 2013/08/31 15:14:10 ossec-syscheckd: INFO: Starting syscheck database >> >> > (pre-scan). >> >> > 2013/08/31 15:14:25 ossec-logcollector(1904): INFO: File not >> >> > available, >> >> > ignoring it: '/var/log/authlog'. >> >> > 2013/08/31 15:14:25 ossec-logcollector(1904): INFO: File not >> >> > available, >> >> > ignoring it: '/var/log/xferlog'. >> >> > 2013/08/31 15:14:25 ossec-logcollector(1904): INFO: File not >> >> > available, >> >> > ignoring it: '/var/www/logs/access_log'. >> >> > 2013/08/31 15:14:25 ossec-logcollector(1904): INFO: File not >> >> > available, >> >> > ignoring it: '/var/www/logs/error_log'. >> >> > 2013/08/31 15:20:13 ossec-testrule: INFO: Reading local decoder file. >> >> > 2013/08/31 15:20:13 ossec-testrule: INFO: Started (pid: 6010). >> >> > 2013/08/31 15:20:14 ossec-remoted: INFO: Started (pid: 6064). >> >> > 2013/08/31 15:26:10 ossec-syscheckd: INFO: Finished creating syscheck >> >> > database (pre-scan completed). >> >> > 2013/08/31 15:26:24 ossec-syscheckd: INFO: Ending syscheck scan >> >> > (forwarding >> >> > database). >> >> > 2013/08/31 15:27:04 ossec-rootcheck: INFO: Starting rootcheck scan. >> >> > 2013/08/31 15:31:02 ossec-rootcheck: INFO: Ending rootcheck scan. >> >> > 2013/08/31 16:47:07 ossec-execd: INFO: Active response command not >> >> > present: >> >> > '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it on >> >> > this >> >> > system. >> >> > 2013/09/01 00:00:30 ossec-monitord: No previous md5 checksum found: >> >> > '/logs/archives/2013/Aug/ossec-archive-30.log.sum'. Starting over. >> >> > 2013/09/01 00:00:30 ossec-monitord: No previous sha1 checksum found: >> >> > '/logs/archives/2013/Aug/ossec-archive-30.log.sum'. Starting over. >> >> > 2013/09/01 00:00:30 ossec-monitord: No previous md5 checksum found: >> >> > '/logs/alerts/2013/Aug/ossec-alerts-30.log.sum'. Starting over. >> >> > 2013/09/01 00:00:30 ossec-monitord: No previous sha1 checksum found: >> >> > '/logs/alerts/2013/Aug/ossec-alerts-30.log.sum'. Starting over. >> >> > 2013/09/01 00:00:30 ossec-monitord: No previous md5 checksum found: >> >> > '/logs/firewall/2013/Aug/ossec-firewall-30.log.sum'. Starting over. >> >> > 2013/09/01 00:00:30 ossec-monitord: No previous sha1 checksum found: >> >> > '/logs/firewall/2013/Aug/ossec-firewall-30.log.sum'. Starting over. >> >> > 2013/09/01 11:31:02 ossec-syscheckd: INFO: Starting syscheck scan. >> >> > 2013/09/01 11:43:25 ossec-syscheckd: INFO: Ending syscheck scan. >> >> > 2013/09/01 11:48:25 ossec-rootcheck: INFO: Starting rootcheck scan. >> >> > 2013/09/01 11:51:57 ossec-rootcheck: INFO: Ending rootcheck scan. >> >> > 2013/09/01 21:29:43 ossec-monitord(1225): INFO: SIGNAL Received. Exit >> >> > Cleaning... >> >> > 2013/09/01 21:29:43 ossec-logcollector(1225): INFO: SIGNAL Received. >> >> > Exit >> >> > Cleaning... >> >> > 2013/09/01 21:29:43 ossec-syscheckd(1225): INFO: SIGNAL Received. >> >> > Exit >> >> > Cleaning... >> >> > 2013/09/01 21:29:43 ossec-analysisd(1225): INFO: SIGNAL Received. >> >> > Exit >> >> > Cleaning... >> >> > 2013/09/01 21:29:43 ossec-execd(1314): INFO: Shutdown received. >> >> > Deleting >> >> > responses. >> >> > 2013/09/01 21:29:43 ossec-execd(1225): INFO: SIGNAL Received. Exit >> >> > Cleaning... >> >> > 2013/09/01 21:32:07 ossec-testrule: INFO: Reading local decoder file. >> >> > 2013/09/01 21:32:07 ossec-testrule: INFO: Started (pid: 1246). >> >> > 2013/09/01 21:32:08 DEBUG: I am creating the SQLite table. >> >> > 2013/09/01 21:32:08 ossec-execd: INFO: Started (pid: 1269). >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading local decoder >> >> > file. >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'rules_config.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'pam_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'sshd_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'telnetd_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'syslog_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'arpwatch_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'symantec-av_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'symantec-ws_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'pix_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'named_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'smbd_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'vsftpd_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'pure-ftpd_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'proftpd_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'ms_ftpd_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'ftpd_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'hordeimp_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'roundcube_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'wordpress_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'cimserver_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'vpopmail_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'vmpop3d_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'courier_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'web_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'web_appsec_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'apache_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'nginx_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'php_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'mysql_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'postgresql_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'ids_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'squid_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'firewall_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'cisco-ios_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'netscreenfw_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'sonicwall_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'postfix_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'sendmail_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'imapd_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'mailscanner_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'dovecot_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'ms-exchange_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'racoon_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'vpn_concentrator_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'spamd_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'msauth_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'mcafee_av_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'trend-osce_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'ms-se_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'zeus_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'solaris_bsm_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'vmware_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'ms_dhcp_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'asterisk_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'ossec_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'attack_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: >> >> > 'local_rules.xml' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Total rules enabled: >> >> > '1229' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: '/etc/mtab' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: >> >> > '/etc/hosts.deny' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: >> >> > '/etc/mail/statistics' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: >> >> > '/etc/random-seed' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: >> >> > '/etc/adjtime' >> >> > 2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: >> >> > '/etc/httpd/logs' >> >> > >> >> > >> >> > 2013/09/01 21:32:14 ossec-logcollector(1950): INFO: Analyzing file: >> >> > '/var/log/messages'. >> >> > 2013/09/01 21:32:14 ossec-logcollector(1103): ERROR: Unable to open >> >> > file >> >> > '/var/log/authlog'. >> >> > 2013/09/01 21:32:14 ossec-logcollector(1950): INFO: Analyzing file: >> >> > '/var/log/authlog'. >> >> > 2013/09/01 21:32:14 ossec-logcollector(1950): INFO: Analyzing file: >> >> > '/var/log/secure'. >> >> > 2013/09/01 21:32:14 ossec-logcollector(1103): ERROR: Unable to open >> >> > file >> >> > '/var/log/xferlog'. >> >> > 2013/09/01 21:32:14 ossec-logcollector(1950): INFO: Analyzing file: >> >> > '/var/log/xferlog'. >> >> > 2013/09/01 21:32:14 ossec-logcollector(1950): INFO: Analyzing file: >> >> > '/var/log/maillog'. >> >> > >> >> > 2013/09/01 21:32:14 ossec-analysisd(1210): ERROR: Queue >> >> > '/queue/alerts/ar' >> >> > not accessible: 'Connection refused'. >> >> > 2013/09/01 21:32:14 ossec-analysisd(1301): ERROR: Unable to connect >> >> > to >> >> > active response queue. >> >> > >> >> > 2013/09/06 03:18:42 ossec-rootcheck: INFO: Starting rootcheck scan. >> >> > 2013/09/06 03:22:50 ossec-rootcheck: INFO: Ending rootcheck scan. >> >> > 2013/09/06 16:33:13 ossec-testrule: INFO: Reading local decoder file. >> >> > 2013/09/06 16:33:13 ossec-testrule: INFO: Started (pid: 10245). >> >> > 2013/09/06 16:33:31 ossec-testrule: INFO: Reading local decoder file. >> >> > 2013/09/06 16:33:31 ossec-testrule: INFO: Started (pid: 10248). >> >> > 2013/09/06 16:34:01 ossec-testrule: INFO: Reading local decoder file. >> >> > 2013/09/06 16:34:01 ossec-testrule: INFO: Started (pid: 10250). >> >> > 2013/09/06 23:17:50 ossec-syscheckd: INFO: Starting syscheck scan. >> >> > 2013/09/06 23:30:42 ossec-syscheckd: INFO: Ending syscheck scan. >> >> > 2013/09/06 23:35:42 ossec-rootcheck: INFO: Starting rootcheck scan. >> >> > 2013/09/06 23:39:49 ossec-rootcheck: INFO: Ending rootcheck scan. >> >> > 2013/09/07 19:34:49 ossec-syscheckd: INFO: Starting syscheck scan. >> >> > 2013/09/07 19:47:41 ossec-syscheckd: INFO: Ending syscheck scan. >> >> > 2013/09/07 19:52:41 ossec-rootcheck: INFO: Starting rootcheck scan. >> >> > 2013/09/07 19:56:47 ossec-rootcheck: INFO: Ending rootcheck scan. >> >> > >> >> > The rootcheck runs by itself is it automatically? >> >> > >> >> >> >> Looks like it. >> >> >> >> > >> >> > NExt I went into alerts.log. So will all this be alerted via email >> >> > or >> >> > only >> >> > some alerts? >> >> > >> >> >> >> Some alerts will trigger emails, some will not. You can customize a lot >> >> of >> >> that. >> >> >> >> > Saw this. >> >> > >> >> > ** Alert 1378572677.0: - syslog,sshd,authentication_success, >> >> > 2013 Sep 08 00:51:17 capture->/var/log/secure >> >> > Rule: 5715 (level 3) -> 'SSHD authentication success.' >> >> > Src IP: 60.50.38.78 >> >> > User: root >> >> > Sep 8 00:51:17 capture sshd[11987]: Accepted password for root from >> >> > **.**.**.78 port 3516 ssh2 >> >> > >> >> > ** Alert 1378572679.290: - pam,syslog,authentication_success, >> >> > 2013 Sep 08 00:51:19 capture->/var/log/secure >> >> > Rule: 5501 (level 3) -> 'Login session opened.' >> >> > Sep 8 00:51:17 capture sshd[11987]: pam_unix(sshd:session): session >> >> > opened >> >> > for user root by (uid=0) >> >> > >> >> > ** Alert 1378572745.548: - syslog,sshd,authentication_success, >> >> > 2013 Sep 08 00:52:25 capture->/var/log/secure >> >> > Rule: 5715 (level 3) -> 'SSHD authentication success.' >> >> > Src IP: 60.50.38.78 >> >> > User: root >> >> > Sep 8 00:52:24 capture sshd[11985]: Accepted password for root from >> >> > **.**.**.78 port 3512 ssh2 >> >> > >> >> > ** Alert 1378572745.840: - pam,syslog,authentication_success, >> >> > 2013 Sep 08 00:52:25 capture->/var/log/secure >> >> > Rule: 5501 (level 3) -> 'Login session opened.' >> >> > Sep 8 00:52:25 capture sshd[11985]: pam_unix(sshd:session): session >> >> > opened >> >> > for user root by (uid=0) >> >> > >> >> > >> >> > Another thing this process zcat /var/log/*.gz | >> >> > /var/ossec/bin/ossec-logtest >> >> > basically what are we going to look out from here? >> >> > >> >> >> >> That will provide some alerts. In fact, the "-a" flag to ossec-logtest >> >> should provide alerts very similar to what is in alerts.log. >> >> >> >> Other than that, this question is too broad for me to answer. >> >> >> >> > >> >> > >> >> > >> >> > >> >> > On Friday, September 6, 2013 11:14:40 PM UTC+8, dan (ddpbsd) wrote: >> >> >> >> >> >> On Fri, Sep 6, 2013 at 4:51 AM, frwa onto <[email protected]> wrote: >> >> >> > Dear Dan, >> >> >> > I know your option you gave is just for single file. >> >> >> > I >> >> >> > Want to >> >> >> > do the whole of /var/log how to go about with that which I think >> >> >> > that >> >> >> > is >> >> >> > what ossec-logtest does right. >> >> >> > I know neither of this does now work.. >> >> >> > cat /var/log | /var/ossec/bin/ossec-logtest > >> >> >> > /usr/local/ossetest.txt >> >> >> > 2>&1 >> >> >> > cat: /var/log: Is a directory >> >> >> > [root@capture var]# zcat /var/log | /var/ossec/bin/ossec-logtest >> >> >> > > >> >> >> > /usr/local/ossetest.txt 2>&1 >> >> >> > gzip: /var/log is a directory -- ignored >> >> >> > >> >> >> >> >> >> You're running this on a linux or unix-like system, use the tools >> >> >> available. >> >> >> zcat /var/log/*.gz | /var/ossec/bin/ossec-logtest >> >> >> >> >> >> >> >> >> > How to confirm that syscheck is running. Normally where and what >> >> >> > are >> >> >> > the >> >> >> > logfiles of ossec for us to to view or look?. Thank you. Sorry >> >> >> > very >> >> >> > new >> >> >> > to >> >> >> > this tool. >> >> >> > >> >> >> >> >> >> /var/ossec/logs/ossec.log contains information like when syscheck >> >> >> runs. >> >> >> /var/ossec/logs/alerts/alerts.log has alert information. >> >> >> >> >> >> >> >> >> > On Thursday, September 5, 2013 9:25:13 PM UTC+8, dan (ddpbsd) >> >> >> > wrote: >> >> >> >> >> >> >> >> On Wed, Sep 4, 2013 at 1:54 PM, frwa onto <[email protected]> >> >> >> >> wrote: >> >> >> >> > Dear Dan, >> >> >> >> > For ossec-logtest I just ran like this >> >> >> >> > ./ossec-logtest? >> >> >> >> > How >> >> >> >> >> >> >> >> The easiest way is to pipe the log file through logtest: >> >> >> >> cat /path/to/logfile | /var/ossec/bin/ossec-logtest >> >> >> >> >> >> >> >> Use zcat if the logfile is compressed. If you want to redirect >> >> >> >> the >> >> >> >> output to a file, use this: >> >> >> >> cat /path/to/logfile | /var/ossec/bin/ossec-logtest > >> >> >> >> /path/to/file >> >> >> >> 2>&1 >> >> >> >> >> >> >> >> >> >> >> >> > about the syscheck how to run it? What will both of this script >> >> >> >> > eventually >> >> >> >> >> >> >> >> By default, syscheck will run when OSSEC starts. >> >> >> >> >> >> >> >> > be doing? Do I need to run the rootcheck ? >> >> >> >> > >> >> >> >> >> >> >> >> Same as syscheck I believe. >> >> >> >> >> >> >> >> > On Wednesday, September 4, 2013 9:38:07 PM UTC+8, dan (ddpbsd) >> >> >> >> > wrote: >> >> >> >> >> >> >> >> >> >> On Tue, Sep 3, 2013 at 12:36 AM, frwa onto <[email protected]> >> >> >> >> >> wrote: >> >> >> >> >> > Hi All, >> >> >> >> >> > I just rebuild and install ossec on my centos 6.4 >> >> >> >> >> > machine. >> >> >> >> >> > So >> >> >> >> >> > what >> >> >> >> >> > is the next step be done as this is any existing machine and >> >> >> >> >> > I >> >> >> >> >> > want >> >> >> >> >> > to >> >> >> >> >> > check >> >> >> >> >> > for any previous intrusion? I also want to get alerts on >> >> >> >> >> > updates >> >> >> >> >> > on >> >> >> >> >> > my >> >> >> >> >> > local >> >> >> >> >> > files or any new files created? I am sorry very new to it. >> >> >> >> >> > >> >> >> >> >> >> >> >> >> >> You can use ossec-logtest to check old log files, and syscheck >> >> >> >> >> has a >> >> >> >> >> default configuration that can cover most needs. If you have >> >> >> >> >> custom >> >> >> >> >> locations that must be monitored, you should add them to the >> >> >> >> >> ossec.conf in the syscheck section. >> >> >> >> >> >> >> >> >> >> > -- >> >> >> >> >> > >> >> >> >> >> > --- >> >> >> >> >> > You received this message because you are subscribed to the >> >> >> >> >> > Google >> >> >> >> >> > Groups >> >> >> >> >> > "ossec-list" group. >> >> >> >> >> > To unsubscribe from this group and stop receiving emails >> >> >> >> >> > from >> >> >> >> >> > it, >> >> >> >> >> > send >> >> >> >> >> > an >> >> >> >> >> > email to [email protected]. >> >> >> >> >> > For more options, visit >> >> >> >> >> > https://groups.google.com/groups/opt_out. >> >> >> >> > >> >> >> >> > -- >> >> >> >> > >> >> >> >> > --- >> >> >> >> > You received this message because you are subscribed to the >> >> >> >> > Google >> >> >> >> > Groups >> >> >> >> > "ossec-list" group. >> >> >> >> > To unsubscribe from this group and stop receiving emails from >> >> >> >> > it, >> >> >> >> > send >> >> >> >> > an >> >> >> >> > email to [email protected]. >> >> >> >> > For more options, visit >> >> >> >> > https://groups.google.com/groups/opt_out. >> >> >> > >> >> >> > -- >> >> >> > >> >> >> > --- >> >> >> > You received this message because you are subscribed to the Google >> >> >> > Groups >> >> >> > "ossec-list" group. >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> > send >> >> >> > an >> >> >> > email to [email protected]. >> >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/n0-gBzCdh3M/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> >> For more options, visit https://groups.google.com/groups/opt_out. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
