Maybe I’m crazy, but I think OSSEC is like a log daemon +… It’s cross platform, it includes encryption, it has built in filtering and can do active response. Why would it make sense to duplicate log shipping if you need it to do the security stuff? I.e. OSSEC ought to be a good log aggregator to serve it’s primary security goal IMO.
-- James Pulver CLASSE Computer Group Cornell University From: [email protected] [mailto:[email protected]] On Behalf Of Jeremy Rossi Sent: Wednesday, June 18, 2014 7:50 AM To: [email protected] Subject: Re: [ossec-list] logging all, but not commands? We would Very much welcome it. Some suggestions, but nothing more for the branch :). Agent -> master: json and use first char of { to pick new code path for processing the messages. This will allow master to work with legacy agents and new agents cleanly. Master->agent: This is harder but something I am working now as part of the work on actice response. Reasons it is harder is that unless we change the method if encryption/communication at the same time we have no concept of agent version so no idea what formats of messages are acceptable. I still don't know the best method for dealing with this and love ideas. Logall: Side note this log all feature comes up all the time and is confusing I think and maybe something we should solve better. But I am worried about turning ossec from security to a log daemon as other tools have solved that problem. On Jun 18, 2014, at 12:30 AM, "Janelle" <[email protected]<mailto:[email protected]>> wrote: I guess I need to start a new brach and work on a way to do this :-) On Tuesday, June 17, 2014 2:57:34 PM UTC-7, Michael Starks wrote: On 2014-06-17 16:31, Janelle wrote: > Trying to send "archives" to a syslog server for archival, and it > can't handle all the extraneous code. Ah, yes. I have done this as well and had this problem with keepalives and such. Another issue is that the ossec log format isn't syslog. It looks like syslog but it's not. Then there's this: Agentless: yyyy mmm dd hh:mm:ss (script_name) username->agentless ossec: agentless: Change detected Command output: yyyy mmm dd hh:mm:ss agentname->command Syscheck: yyyy mmm dd hh:mm:ss (agent_name) agent_ip->syscheck Windows: yyyy mmm dd hh:mm:ss (agent_name) agent_ip->log_name log_name_again Agent IP could be the IP or it could be "any." What I wish was that: 1. This was syslog formatted (or something else nice like JSON) 2. In the syslog header, the hostname could be either the agent name or the actual hostname 3. Newlines were removed or otherwise handled gracefully And/or that raw logs could be sent over to a syslog server like alerts are now, in addition to being analyzed. You could even strip off the ossec header at that point and the syslog server wouldn't know the difference. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
