I think people forget that when you put OSSEC on a server, it really does not make sense to run a syslog-type daemon sending data to a central log host at the same time OSSEC is doing it. Wastes bandwidth and since OSSEC can actually deliver more than just standard "syslogs" - it is much more useful. For example, syslog is not typically going to centralize your HTTPD logging and OSSEC can. It makes sense to add a little more flexibility in the output of the logall feature..
On Wednesday, June 18, 2014 5:06:31 AM UTC-7, James M. Pulver wrote: > > Maybe I’m crazy, but I think OSSEC is like a log daemon +… > > It’s cross platform, it includes encryption, it has built in filtering and > can do active response. Why would it make sense to duplicate log shipping > if you need it to do the security stuff? I.e. OSSEC ought to be a good log > aggregator to serve it’s primary security goal IMO. > > > > -- > > James Pulver > > CLASSE Computer Group > > Cornell University > > > > *From:* [email protected] <javascript:> [mailto: > [email protected] <javascript:>] *On Behalf Of *Jeremy Rossi > *Sent:* Wednesday, June 18, 2014 7:50 AM > *To:* [email protected] <javascript:> > *Subject:* Re: [ossec-list] logging all, but not commands? > > > > We would Very much welcome it. Some suggestions, but nothing more for the > branch :). > > > > Agent -> master: > > > > json and use first char of { to pick new code path for processing the > messages. This will allow master to work with legacy agents and new agents > cleanly. > > > > Master->agent: > > > > This is harder but something I am working now as part of the work on > actice response. Reasons it is harder is that unless we change the method > if encryption/communication at the same time we have no concept of agent > version so no idea what formats of messages are acceptable. I still don't > know the best method for dealing with this and love ideas. > > > > Logall: > > > > Side note this log all feature comes up all the time and is confusing I > think and maybe something we should solve better. But I am worried about > turning ossec from security to a log daemon as other tools have solved that > problem. > > > > > > > > > > > On Jun 18, 2014, at 12:30 AM, "Janelle" <[email protected] > <javascript:>> wrote: > > I guess I need to start a new brach and work on a way to do this :-) > > On Tuesday, June 17, 2014 2:57:34 PM UTC-7, Michael Starks wrote: > > On 2014-06-17 16:31, Janelle wrote: > > Trying to send "archives" to a syslog server for archival, and it > > can't handle all the extraneous code. > > Ah, yes. I have done this as well and had this problem with keepalives > and such. Another issue is that the ossec log format isn't syslog. It > looks like syslog but it's not. Then there's this: > > Agentless: > yyyy mmm dd hh:mm:ss (script_name) username->agentless ossec: agentless: > Change detected > > Command output: > yyyy mmm dd hh:mm:ss agentname->command > > Syscheck: > yyyy mmm dd hh:mm:ss (agent_name) agent_ip->syscheck > > Windows: > yyyy mmm dd hh:mm:ss (agent_name) agent_ip->log_name log_name_again > > Agent IP could be the IP or it could be "any." > > What I wish was that: > > 1. This was syslog formatted (or something else nice like JSON) > 2. In the syslog header, the hostname could be either the agent name or > the actual hostname > 3. Newlines were removed or otherwise handled gracefully > > And/or that raw logs could be sent over to a syslog server like alerts > are now, in addition to being analyzed. You could even strip off the > ossec header at that point and the syslog server wouldn't know the > difference. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
