Dear Dan, Thanks for your support.
may I use central syslog server with ossec server as the same system ? And my main purpose is to be used OSSEC asked to monitor the agent's hardware error ? (such as RAID, HDD, etc...) thanks and Best Regards,. On Thursday, October 31, 2013 2:12:57 PM UTC+7, dan (ddpbsd) wrote: > > > On Oct 31, 2013 3:10 AM, "De Nguyen" <[email protected] <javascript:>> > wrote: > > > > Dear Dan, > > > > On my ossec server, i'm using rsyslogd for central syslog server. Config > file is: > > > > /etc/sysconfig/rsyslog > > > > # Options to syslogd > > # -m 0 disables 'MARK' messages. > > # -rPortNumber Enables logging from remote machines. The listener will > listen to the specified port. > > # -x disables DNS lookups on messages recieved with -r > > # See syslogd(8) for more details > > SYSLOGD_OPTIONS="-c3" > > # Options to klogd > > # -2 prints all kernel oops messages twice; once for klogd to decode, and > > # once for processing with 'ksymoops' > > # -x disables all klogd processing of oops messages entirely > > # See klogd(8) for more details > > KLOGD_OPTIONS="-x" > > > > and /etc/rsyslog.conf : > > > > # Use traditional timestamp format > > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > > > > # Provides kernel logging support (previously done by rklogd) > > $ModLoad imklog > > # Provides support for local system logging (e.g. via logger command) > > $ModLoad imuxsock > > > > > > # Log all kernel messages to the console. > > # Logging much else clutters up the screen. > > #kern.* /dev/console > > > > # Log anything (except mail) of level info or higher. > > # Don't log private authentication messages! > > *.info;mail.none;authpriv.none;cron.none /var/log/messages > > > > # The authpriv file has restricted access. > > authpriv.* /var/log/secure > > > > # Log all the mail messages in one place. > > mail.* -/var/log/maillog > > > > > > # Log cron stuff > > cron.* /var/log/cron > > > > # Everybody gets emergency messages > > *.emerg * > > > > # Save news errors of level crit and higher in a special file. > > uucp,news.crit /var/log/spooler > > > > # Save boot messages also to boot.log > > local7.* /var/log/boot.log > > $ModLoad imtcp > > $InputTCPServerRun 514 > > :FROMHOST-IP, isequal, "192.168.1.111" > /var/log/rhel6.log > > > > > > my ossec.conf : > > > > > > > > <ossec_config> > > <global> > > <email_notification>yes</email_notification> > > <email_to>ossec@localhost</email_to> > > <smtp_server>localhost.localdomain</smtp_server> > > <email_from>ossecm@localhost</email_from> > > <logall>yes</logall> > > </global> > > > > <database_output> > > <hostname>localhost</hostname> > > <username>ossec</username> > > <password>ossec</password> > > <database>ossec</database> > > <type>mysql</type> > > </database_output> > > > > ... > > > > <global> > > <white_list>127.0.0.1</white_list> > > <white_list>^localhost.localdomain$</white_list> > > <white_list>192.168.1.111</white_list> ### <-- My OSSEC server > > <white_list>192.168.1.112</white_list> ### <-- My Agent linux Server > > </global> > > > > ... > > </ossec_config> > > > > > > Anything else configuration is using ossec default. > > > > To use the client syslog functionality, you'll have to configure it. This > page has the syntax details you need: > > http://ossec.net/doc/syntax/head_ossec_config.syslog_output.html > > > my ossec.log : > > > > > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading local decoder file. > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'rules_config.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'pam_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'sshd_rules.xml' > > 2013/10/31 14:04:59 ossec-remoted: INFO: Started (pid: 12844). > > 2013/10/31 14:04:59 ossec-remoted: Remote syslog allowed from: ' > 221.133.0.0/28' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'telnetd_rules.xml' > > 2013/10/31 14:04:59 ossec-remoted: INFO: Started (pid: 12845). > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'syslog_rules.xml' > > 2013/10/31 14:04:59 ossec-remoted: INFO: Started (pid: 12846). > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'arpwatch_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'symantec-av_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'symantec-ws_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'pix_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'named_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'smbd_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'vsftpd_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'pure-ftpd_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'proftpd_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'ms_ftpd_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'ftpd_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'hordeimp_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'roundcube_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'wordpress_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'cimserver_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'vpopmail_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'vmpop3d_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'courier_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'web_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'web_appsec_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'apache_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'nginx_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'php_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'mysql_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'postgresql_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'ids_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'squid_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'firewall_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'cisco-ios_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'netscreenfw_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'sonicwall_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'postfix_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'sendmail_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'imapd_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'mailscanner_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'dovecot_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'ms-exchange_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'racoon_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'vpn_concentrator_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'spamd_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'msauth_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'mcafee_av_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'trend-osce_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'ms-se_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'zeus_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'solaris_bsm_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'vmware_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'ms_dhcp_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'asterisk_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'ossec_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'attack_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'openbsd_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'clam_av_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'bro-ids_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'dropbear_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file: > 'local_rules.xml' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Total rules enabled: '1289' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: '/etc/mtab' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: '/etc/mnttab' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: > '/etc/hosts.deny' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: > '/etc/mail/statistics' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: > '/etc/random-seed' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: > '/etc/httpd/logs' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: > '/etc/cups/certs' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: > '/etc/dumpdates' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: > '/etc/svc/volatile' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: > 'C:\WINDOWS/System32/LogFiles' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: > 'C:\WINDOWS/Debug' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: > 'C:\WINDOWS/WindowsUpdate.log' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: > 'C:\WINDOWS/iis6.log' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: > 'C:\WINDOWS/system32/wbem/Logs' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: > 'C:\WINDOWS/system32/wbem/Repository' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: > 'C:\WINDOWS/Prefetch' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: > 'C:\WINDOWS/PCHEALTH/HELPCTR/DataColl' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: > 'C:\WINDOWS/SoftwareDistribution' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: > 'C:\WINDOWS/Temp' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: > 'C:\WINDOWS/system32/config' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: > 'C:\WINDOWS/system32/spool' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: > 'C:\WINDOWS/system32/CatRoot' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: White listing IP: '127.0.0.1' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: White listing IP: > '192.168.1.111' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: White listing IP: > '192.168.1.112' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: 3 IPs in the white list for > active response. > > 2013/10/31 14:04:59 ossec-analysisd: INFO: White listing Hostname: > 'localhost.localdomain' > > 2013/10/31 14:04:59 ossec-analysisd: INFO: 1 Hostname(s) in the white > list for active response. > > 2013/10/31 14:04:59 ossec-analysisd: INFO: Started (pid: 12836). > > 2013/10/31 14:05:00 ossec-remoted(4111): INFO: Maximum number of agents > allowed: '256'. > > 2013/10/31 14:05:00 ossec-remoted(1410): INFO: Reading authentication > keys file. > > 2013/10/31 14:05:00 ossec-remoted: INFO: Assigning counter for agent > myagent: '39:897'. > > 2013/10/31 14:05:00 ossec-remoted: INFO: Assigning sender counter: 0:517 > > 2013/10/31 14:05:00 ossec-monitord: INFO: Started (pid: 12856). > > 2013/10/31 14:05:02 ossec-analysisd: INFO: Connected to > '/queue/alerts/ar' (active-response queue) > > 2013/10/31 14:05:02 ossec-analysisd: INFO: Connected to > '/queue/alerts/execq' (exec queue) > > 2013/10/31 14:05:04 ossec-syscheckd: INFO: Started (pid: 12852). > > 2013/10/31 14:05:04 ossec-rootcheck: INFO: Started (pid: 12852). > > 2013/10/31 14:05:04 ossec-syscheckd: INFO: Monitoring directory: '/etc'. > > 2013/10/31 14:05:04 ossec-syscheckd: INFO: Monitoring directory: > '/usr/bin'. > > 2013/10/31 14:05:04 ossec-syscheckd: INFO: Monitoring directory: > '/usr/sbin'. > > 2013/10/31 14:05:04 ossec-syscheckd: INFO: Monitoring directory: '/bin'. > > 2013/10/31 14:05:04 ossec-syscheckd: INFO: Monitoring directory: '/sbin'. > > 2013/10/31 14:05:05 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/messages'. > > 2013/10/31 14:05:05 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/secure'. > > 2013/10/31 14:05:05 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/syslog'. > > 2013/10/31 14:05:05 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/xferlog'. > > 2013/10/31 14:05:05 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/maillog'. > > 2013/10/31 14:05:05 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/httpd/error_log'. > > 2013/10/31 14:05:05 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/httpd/access_log'. > > 2013/10/31 14:05:05 ossec-logcollector: INFO: Monitoring output of > command(360): df -h > > 2013/10/31 14:05:05 ossec-logcollector: INFO: Monitoring full output of > command(360): netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort > > 2013/10/31 14:05:05 ossec-logcollector: INFO: Monitoring full output of > command(360): last -n 5 > > 2013/10/31 14:05:05 ossec-logcollector: INFO: Started (pid: 12840). > > 2013/10/31 14:05:06 ossec-dbd: INFO: Started (pid: 12819). > > > > Best Regards,. > > > > > > On Thursday, October 31, 2013 11:47:50 AM UTC+7, dan (ddpbsd) wrote: > >> > >> > >> On Oct 31, 2013 12:45 AM, "De Nguyen" <[email protected]> wrote: > >> > > >> > Dear Dan, > >> > > >> > Thanks or your support. > >> > > >> > I use ossec version 2.7 on Linux CentOS 5.8 32 bit. > >> > I'm using ossec with apache 2.2.22, mysql 5.1.58, php 5.17 and > Analogi 1.3 for monitor logging. > >> > > >> > If i use ossec with central syslog server on my server, can i resolve > my solution ? and if answer is yes, which syslog server i can using > (rsyslod, syslog-ng, etc...)? > >> > > >> > >> Any standard syslogd should work fine. They should work for both > collection of the logs for ossec to use, and for sending alerts to from > ossec. > >> > >> > Please, give me some idea for this solution. > >> > > >> > >> Provide the configuration. I can't tell why ossec-csyslogd is failing > without it and hopefully the ossec.log entries. > >> > >> > Thanks again for your help ! > >> > > >> > Best Regards,. > >> > > >> > > >> > On Thursday, October 31, 2013 11:12:26 AM UTC+7, dan (ddpbsd) wrote: > >> >> > >> >> > >> >> On Oct 30, 2013 11:33 PM, "De Nguyen" <[email protected]> wrote: > >> >> > > >> >> > Dear all, > >> >> > > >> >> > I'm a newbie with ossec, after i install ossec & start them, the > csyslogd not running on my ossec server (type server). The status like this: > >> >> > ossec-monitord is running... > >> >> > ossec-logcollector is running... > >> >> > ossec-remoted is running... > >> >> > ossec-syscheckd is running... > >> >> > ossec-analysisd is running... > >> >> > ossec-maild is running... > >> >> > ossec-execd is running... > >> >> > ossec-dbd is running... > >> >> > ossec-csyslogd not running... > >> >> > > >> >> > >> >> Csyslogd is the client syslog daemon. It's used for sending alerts > to other systems via syslog. > >> >> If that's what you are looking to do you should send your config. > Also the version of ossec you're using and thr platform (os specifically). > >> >> > >> >> > I want monitor error and warning about hardware (RAID, HDD SCSI, > RAM, etc...) from other servers and SMS for me when server have problem > with hardware. So, can I use ossec software for my solution ? > >> >> > > >> >> > Many thanks for everyone have idea for my solution with open > source software. > >> >> > > >> >> > Best Regards,. > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > send an email to [email protected]. > >> >> > >> >> > For more options, visit https://groups.google.com/groups/opt_out. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send an email to [email protected]. > >> > For more options, visit https://groups.google.com/groups/opt_out. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
