On Tue, Dec 17, 2013 at 6:24 AM, Aria Shishegaran <[email protected]> wrote: > 1 - i don't understand your point when u say ossec-csyslogd should be run on > an agent.
That is not what I said (meant?). ossec-csyslogd should NOT be run on an agent. ossec-csyslogd sends OSSEC alerts to a listening syslog daemon. OSSEC agents are unaware of OSSEC alerts (they do not produce or process OSSEC alerts), so ossec-csyslogd is useless on an agent. > 2 - if i want to send the data to my ossec server (ubuntu 13.10) what should > it do? What is "it?" If you mean ossec-csyslogd, nothing. It does nothing to assist you in this goal. ossec-agentd can send the data (using the "secure" protocol), or you can configure a syslog daemon on the system to send the logs to the OSSEC server via syslog. > 3 - i dont' understand the concept u r refering when u make a difference > between an agent an a client, i mean we should install agents on clients, > isn't that right? The only time I use the term "client" is in reference to ossec-csyslogd. The "c" in csyslogd stands for client, it is a "client syslog daemon." I refer to the system running OSSEC, reporting to an OSSEC server, as an agent. > 4 - by saying install a syslog daemon u mean installing syslog-ng > application and similar? Possibly, I don't remember the context. > 5 - where u mentioned that this is my ossec-remoted configuration, i believe > it was totally wrong for a server I don't understand. IIRC, the section of config this was referring to was a <remote> configuration. <remote> belongs on the server only. It has no meaning on an agent, since agents do not run ossec-remoted. > ANSWER TO UR Qs: > 1 - well i donno exactly what u mean, but if u mean here, yeah it's working > : var/ossec/logs/alerts/alerts.log > here's 2 of many alerts generated : > ** Alert 1387145814.0: - windows,authentication_success, > 2013 Dec 16 01:46:54 (Windows8.1) 192.168.1.101->WinEvtLog > Rule: 18107 (level 3) -> 'Windows Logon Success.' > User: (no user) > WinEvtLog: Security: AUDIT_SUCCESS(4624): > Microsoft-Windows-Security-Auditing$ > > ** Alert 1387145893.1440: - windows,system_error, > 2013 Dec 16 01:48:13 (Windows8.1) 192.168.1.101->WinEvtLog > Rule: 18103 (level 5) -> 'Windows error event.' > User: (no user) > WinEvtLog: System: ERROR(36): volsnap: (no user): no domain: Test: The > shadow$ > I'm not entirely sure what question you were answering here. This email is very confusing without context. > 2 - elastic search? i'm involved in a Security Operations Center project, > i'm collection logs and making them as readable and understandable as > possible beside correlation, i need it to be parsed, indexed and searchable, > while accessible from browser and WUI and i need diagrams and charts a SIEM > solution like splunk but not splunk :D. do you have a better solution? i > would be glad to hear about it. > Nope, elasticsearch could be fine. What question was this supposed to answer? > ***i have a big problem understanding the mechanism used in ossec and the > documentation lacks useful solutions and examples. I appreciate ur time Dan. We are always looking for help with the documentation. Very few people are interested. > what i'm mainly looking for is a powerful and smart log collector, powerful > with collecting correlating and sending and smart with where to look for > logs, i know ossec is a very good option but i have problem a problem with > collecting them as i mentioned above , u said that i could use a log > collection daemon and send all data to a log server, but where to parse > them? where to index them? i have a lack of bigger picture for my design, i > need help to better understand this. > I think this goes beyond the scope of OSSEC. OSSEC's goal is to read the logs and compare them to rules looking for suspicious behavior. Using it to transport all of your logs from various systems to a centralized system to an indexer is not really a goal of OSSEC. Using those logs to create alerts, and forwarding the alerts on to an indexer is simple. Beyond that, you're probably beyond the scope of OSSEC. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
