1 - i don't understand your point when u say ossec-csyslogd should be run on an agent. 2 - if i want to send the data to my ossec server (ubuntu 13.10) what should it do? 3 - i dont' understand the concept u r refering when u make a difference between an agent an a client, i mean we should install agents on clients, isn't that right? 4 - by saying install a syslog daemon u mean installing syslog-ng application and similar? 5 - where u mentioned that this is my ossec-remoted configuration, i believe it was totally wrong for a server ANSWER TO UR Qs: 1 - well i donno exactly what u mean, but if u mean here, yeah it's working : var/ossec/logs/alerts/alerts.log here's 2 of many alerts generated : ** Alert 1387145814.0: - windows,authentication_success, 2013 Dec 16 01:46:54 (Windows8.1) 192.168.1.101->WinEvtLog Rule: 18107 (level 3) -> 'Windows Logon Success.' User: (no user) WinEvtLog: Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing$
** Alert 1387145893.1440: - windows,system_error, 2013 Dec 16 01:48:13 (Windows8.1) 192.168.1.101->WinEvtLog Rule: 18103 (level 5) -> 'Windows error event.' User: (no user) WinEvtLog: System: ERROR(36): volsnap: (no user): no domain: Test: The shadow$ 2 - elastic search? i'm involved in a Security Operations Center project, i'm collection logs and making them as readable and understandable as possible beside correlation, i need it to be parsed, indexed and searchable, while accessible from browser and WUI and i need diagrams and charts a SIEM solution like splunk but not splunk :D. do you have a better solution? i would be glad to hear about it. ***i have a big problem understanding the mechanism used in ossec and the documentation lacks useful solutions and examples. I appreciate ur time Dan. what i'm mainly looking for is a powerful and smart log collector, powerful with collecting correlating and sending and smart with where to look for logs, i know ossec is a very good option but i have problem a problem with collecting them as i mentioned above , u said that i could use a log collection daemon and send all data to a log server, but where to parse them? where to index them? i have a lack of bigger picture for my design, i need help to better understand this. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
