On Oct 31, 2013 7:04 AM, "De Nguyen" <[email protected]> wrote:
>
> Dear Dan,
>
> Thanks for your support.
>
> may I use central syslog server with ossec server as the same system ?
>

Yes.

> And my main purpose is to be used OSSEC asked to monitor the agent's
hardware error ? (such as RAID, HDD, etc...)
>
> thanks and Best Regards,.
>
> On Thursday, October 31, 2013 2:12:57 PM UTC+7, dan (ddpbsd) wrote:
>>
>>
>> On Oct 31, 2013 3:10 AM, "De Nguyen" <[email protected]> wrote:
>> >
>> > Dear Dan,
>> >
>> > On my ossec server, i'm using rsyslogd for central syslog server.
Config file is:
>> >
>> > /etc/sysconfig/rsyslog
>> >
>> > # Options to syslogd
>> > # -m 0 disables 'MARK' messages.
>> > # -rPortNumber Enables logging from remote machines. The listener will
listen to the specified port.
>> > # -x disables DNS lookups on messages recieved with -r
>> > # See syslogd(8) for more details
>> > SYSLOGD_OPTIONS="-c3"
>> > # Options to klogd
>> > # -2 prints all kernel oops messages twice; once for klogd to decode,
and
>> > #    once for processing with 'ksymoops'
>> > # -x disables all klogd processing of oops messages entirely
>> > # See klogd(8) for more details
>> > KLOGD_OPTIONS="-x"
>> >
>> > and /etc/rsyslog.conf :
>> >
>> > # Use traditional timestamp format
>> > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>> >
>> > # Provides kernel logging support (previously done by rklogd)
>> > $ModLoad imklog
>> > # Provides support for local system logging (e.g. via logger command)
>> > $ModLoad imuxsock
>> >
>> >
>> > # Log all kernel messages to the console.
>> > # Logging much else clutters up the screen.
>> > #kern.*                                                 /dev/console
>> >
>> > # Log anything (except mail) of level info or higher.
>> > # Don't log private authentication messages!
>> > *.info;mail.none;authpriv.none;cron.none
 /var/log/messages
>> >
>> > # The authpriv file has restricted access.
>> > authpriv.*                                              /var/log/secure
>> >
>> > # Log all the mail messages in one place.
>> > mail.*
 -/var/log/maillog
>> >
>> >
>> > # Log cron stuff
>> > cron.*                                                  /var/log/cron
>> >
>> > # Everybody gets emergency messages
>> > *.emerg                                                 *
>> >
>> > # Save news errors of level crit and higher in a special file.
>> > uucp,news.crit
 /var/log/spooler
>> >
>> > # Save boot messages also to boot.log
>> > local7.*
 /var/log/boot.log
>> > $ModLoad imtcp
>> > $InputTCPServerRun 514
>> > :FROMHOST-IP, isequal, "192.168.1.111"
 /var/log/rhel6.log
>> >
>> >
>> > my ossec.conf :
>> >
>> >
>> >
>> > <ossec_config>
>> >   <global>
>> >     <email_notification>yes</email_notification>
>> >     <email_to>ossec@localhost</email_to>
>> >     <smtp_server>localhost.localdomain</smtp_server>
>> >     <email_from>ossecm@localhost</email_from>
>> >     <logall>yes</logall>
>> >   </global>
>> >
>> > <database_output>
>> >    <hostname>localhost</hostname>
>> >    <username>ossec</username>
>> >    <password>ossec</password>
>> >    <database>ossec</database>
>> >    <type>mysql</type>
>> > </database_output>
>> >
>> > ...
>> >
>> >  <global>
>> >     <white_list>127.0.0.1</white_list>
>> >     <white_list>^localhost.localdomain$</white_list>
>> >     <white_list>192.168.1.111</white_list> ### <-- My OSSEC server
>> >     <white_list>192.168.1.112</white_list> ### <-- My Agent linux
Server
>> >   </global>
>> >
>> > ...
>> > </ossec_config>
>> >
>> >
>> > Anything else configuration is using ossec default.
>> >
>>
>> To use the client syslog functionality, you'll have to configure it.
This page has the syntax details you need:
>>
>> http://ossec.net/doc/syntax/head_ossec_config.syslog_output.html
>>
>> > my ossec.log :
>> >
>> >
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading local decoder file.
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'rules_config.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'pam_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'sshd_rules.xml'
>> > 2013/10/31 14:04:59 ossec-remoted: INFO: Started (pid: 12844).
>> > 2013/10/31 14:04:59 ossec-remoted: Remote syslog allowed from: '
221.133.0.0/28'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'telnetd_rules.xml'
>> > 2013/10/31 14:04:59 ossec-remoted: INFO: Started (pid: 12845).
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'syslog_rules.xml'
>> > 2013/10/31 14:04:59 ossec-remoted: INFO: Started (pid: 12846).
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'arpwatch_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'symantec-av_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'symantec-ws_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'pix_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'named_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'smbd_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'vsftpd_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'pure-ftpd_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'proftpd_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'ms_ftpd_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'ftpd_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'hordeimp_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'roundcube_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'wordpress_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'cimserver_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'vpopmail_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'vmpop3d_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'courier_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'web_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'web_appsec_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'apache_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'nginx_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'php_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'mysql_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'postgresql_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'ids_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'squid_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'firewall_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'cisco-ios_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'netscreenfw_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'sonicwall_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'postfix_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'sendmail_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'imapd_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'mailscanner_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'dovecot_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'ms-exchange_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'racoon_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'vpn_concentrator_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'spamd_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'msauth_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'mcafee_av_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'trend-osce_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'ms-se_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'zeus_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'solaris_bsm_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'vmware_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'ms_dhcp_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'asterisk_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'ossec_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'attack_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'openbsd_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'clam_av_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'bro-ids_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'dropbear_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Reading rules file:
'local_rules.xml'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Total rules enabled: '1289'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: '/etc/mtab'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: '/etc/mnttab'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file:
'/etc/hosts.deny'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file:
'/etc/mail/statistics'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file:
'/etc/random-seed'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file:
'/etc/adjtime'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file:
'/etc/httpd/logs'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file:
'/etc/cups/certs'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file:
'/etc/dumpdates'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file:
'/etc/svc/volatile'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/System32/LogFiles'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/Debug'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/WindowsUpdate.log'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/iis6.log'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/system32/wbem/Logs'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/system32/wbem/Repository'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/Prefetch'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/PCHEALTH/HELPCTR/DataColl'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/SoftwareDistribution'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/Temp'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/system32/config'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/system32/spool'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/system32/CatRoot'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: White listing IP:
'127.0.0.1'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: White listing IP:
'192.168.1.111'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: White listing IP:
'192.168.1.112'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: 3 IPs in the white list for
active response.
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: White listing Hostname:
'localhost.localdomain'
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: 1 Hostname(s) in the white
list for active response.
>> > 2013/10/31 14:04:59 ossec-analysisd: INFO: Started (pid: 12836).
>> > 2013/10/31 14:05:00 ossec-remoted(4111): INFO: Maximum number of
agents allowed: '256'.
>> > 2013/10/31 14:05:00 ossec-remoted(1410): INFO: Reading authentication
keys file.
>> > 2013/10/31 14:05:00 ossec-remoted: INFO: Assigning counter for agent
myagent: '39:897'.
>> > 2013/10/31 14:05:00 ossec-remoted: INFO: Assigning sender counter:
0:517
>> > 2013/10/31 14:05:00 ossec-monitord: INFO: Started (pid: 12856).
>> > 2013/10/31 14:05:02 ossec-analysisd: INFO: Connected to
'/queue/alerts/ar' (active-response queue)
>> > 2013/10/31 14:05:02 ossec-analysisd: INFO: Connected to
'/queue/alerts/execq' (exec queue)
>> > 2013/10/31 14:05:04 ossec-syscheckd: INFO: Started (pid: 12852).
>> > 2013/10/31 14:05:04 ossec-rootcheck: INFO: Started (pid: 12852).
>> > 2013/10/31 14:05:04 ossec-syscheckd: INFO: Monitoring directory:
'/etc'.
>> > 2013/10/31 14:05:04 ossec-syscheckd: INFO: Monitoring directory:
'/usr/bin'.
>> > 2013/10/31 14:05:04 ossec-syscheckd: INFO: Monitoring directory:
'/usr/sbin'.
>> > 2013/10/31 14:05:04 ossec-syscheckd: INFO: Monitoring directory:
'/bin'.
>> > 2013/10/31 14:05:04 ossec-syscheckd: INFO: Monitoring directory:
'/sbin'.
>> > 2013/10/31 14:05:05 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/messages'.
>> > 2013/10/31 14:05:05 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/secure'.
>> > 2013/10/31 14:05:05 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/syslog'.
>> > 2013/10/31 14:05:05 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/xferlog'.
>> > 2013/10/31 14:05:05 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/maillog'.
>> > 2013/10/31 14:05:05 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/httpd/error_log'.
>> > 2013/10/31 14:05:05 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/httpd/access_log'.
>> > 2013/10/31 14:05:05 ossec-logcollector: INFO: Monitoring output of
command(360): df -h
>> > 2013/10/31 14:05:05 ossec-logcollector: INFO: Monitoring full output
of command(360): netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort
>> > 2013/10/31 14:05:05 ossec-logcollector: INFO: Monitoring full output
of command(360): last -n 5
>> > 2013/10/31 14:05:05 ossec-logcollector: INFO: Started (pid: 12840).
>> > 2013/10/31 14:05:06 ossec-dbd: INFO: Started (pid: 12819).
>> >
>> > Best Regards,.
>> >
>> >
>> > On Thursday, October 31, 2013 11:47:50 AM UTC+7, dan (ddpbsd) wrote:
>> >>
>> >>
>> >> On Oct 31, 2013 12:45 AM, "De Nguyen" <[email protected]> wrote:
>> >> >
>> >> > Dear Dan,
>> >> >
>> >> > Thanks or your support.
>> >> >
>> >> > I use ossec version 2.7 on Linux CentOS 5.8 32 bit.
>> >> > I'm using ossec with apache 2.2.22, mysql 5.1.58, php 5.17 and
Analogi 1.3 for monitor logging.
>> >> >
>> >> > If i use ossec with central syslog server on my server, can i
resolve my solution ? and if answer is yes, which syslog server i can using
(rsyslod, syslog-ng, etc...)?
>> >> >
>> >>
>> >> Any standard syslogd should work fine. They should work for both
collection of the logs for ossec to use, and for sending alerts to from
ossec.
>> >>
>> >> > Please, give me some idea for this solution.
>> >> >
>> >>
>> >> Provide the configuration. I can't tell why ossec-csyslogd is failing
without it and hopefully the ossec.log entries.
>> >>
>> >> > Thanks again for your help !
>> >> >
>> >> > Best Regards,.
>> >> >
>> >> >
>> >> > On Thursday, October 31, 2013 11:12:26 AM UTC+7, dan (ddpbsd) wrote:
>> >> >>
>> >> >>
>> >> >> On Oct 30, 2013 11:33 PM, "De Nguyen" <[email protected]> wrote:
>> >> >> >
>> >> >> > Dear all,
>> >> >> >
>> >> >> > I'm a newbie with ossec, after i install ossec & start them, the
csyslogd not running on my ossec server (type server). The status like this:
>> >> >> > ossec-monitord is running...
>> >> >> > ossec-logcollector is running...
>> >> >> > ossec-remoted is running...
>> >> >> > ossec-syscheckd is running...
>> >> >> > ossec-analysisd is running...
>> >> >> > ossec-maild is running...
>> >> >> > ossec-execd is running...
>> >> >> > ossec-dbd is running...
>> >> >> > ossec-csyslogd not running...
>> >> >> >
>> >> >>
>> >> >> Csyslogd is the client syslog daemon. It's used for sending alerts
to other systems via syslog.
>> >> >> If that's what you are looking to do you should send your config.
Also the version of ossec you're using and thr platform (os specifically).
>> >> >>
>> >> >> > I want monitor error and warning about hardware (RAID, HDD SCSI,
RAM, etc...) from other servers and SMS for me when server have problem
with hardware. So, can I use ossec software for my solution ?
>> >> >> >
>> >> >> > Many thanks for everyone have idea for my solution with open
source software.
>> >> >> >
>> >> >> > Best Regards,.
>> >> >> >
>> >> >> > --
>> >> >> >
>> >> >> > ---
>> >> >> > You received this message because you are subscribed to the
Google Groups "ossec-list" group.
>> >> >> > To unsubscribe from this group and stop receiving emails from
it, send an email to [email protected].
>> >> >>
>> >> >> > For more options, visit https://groups.google.com/groups/opt_out.
>> >> >
>> >> > --
>> >> >
>> >> > ---
>> >> > You received this message because you are subscribed to the Google
Groups "ossec-list" group.
>> >> > To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected].
>> >> > For more options, visit https://groups.google.com/groups/opt_out.
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
Groups "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected].
>> > For more options, visit https://groups.google.com/groups/opt_out.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to