“You can leave the OSSEC agent running, but simply use a separate process to pull IIS logs from Azure and append it line by line to the monitored local file”
Jb Cheng, Thanks for answering my question, I actually did just what you mentioned. I have one process that pulls down azure iis hourly logs every 15 minutes. I have another process that reads the log and writes it to a daily iis file that the local OSSEC agent is watching. The tricky part was keeping track of how many lines had been read in from the hourly logs. I also induced a second delay for writes to the log as I wasn’t sure how OSSEC interpreted frequency of time of events. For instance if 50 http 404 errors in 5 minutes constituted an attack I am assuming OSSEC evaluates the time the events were received and not the timestamps on the records. So far it seems to be working pretty darn good but as these web services grow I will have to have a more scalable solution. We might try installing an agent on one of the azure systems but I need to research if OSSEC can be installed in a unattended mode as we would need to install OSSEC along with our regular azure deployment process. Thanks again. James Whittington From: [email protected] [mailto:[email protected]] On Behalf Of Jb Cheng Sent: Monday, March 17, 2014 6:18 PM To: [email protected] Subject: [ossec-list] Re: How does OSSEC keep track of what events it has not processed? Not a direct answer to your question, but you may want to try an alternative approach I used for testing. You can leave the OSSEC agent running, but simply use a separate process to pull IIS logs from Azure and append it line by line to the monitored local file. On Tuesday, March 4, 2014 6:58:16 AM UTC-8, James Whittington wrote: How does OSSEC keep track of a logfile and what events have not been seen yet? I am pulling down hourly based IIS logs every 15 minutes from Windows Azure Blob storage to flat files that are identical to native IIS logs. It appears OSSEC was putting a file lock on the IIS log being read (preventing it from being overwritten) so I am stopping the OSSEC agent, pulling the latest log then starting the OSSEC agent every 15 minutes. OSSEC says it is analyzing the file but I've yet to see any events generated from that log source. On a OSSEC restart - will OSSEC read where is left off in the file - or is it somehow listening for only new data being written to the log? I don't think it's possible to run an OSSEC agent in the Azure cloud, at least I haven't seen anyone say they have been able to do it, but I would still like to use OSSEC to watch over some of the web applications we have in the cloud. Thanks, James Whittington -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
