On Wed, Apr 1, 2015 at 7:57 AM, <[email protected]> wrote: > > > On Wednesday, April 1, 2015 at 1:47:03 PM UTC+2, dan (ddpbsd) wrote: >> >> On Wed, Apr 1, 2015 at 7:37 AM, <[email protected]> wrote: >> > hi, >> > >> > First I want that ossec collects all logs. >> > I have put the logall options and >> > log alertlevel is even at 0 >> > >> > >> > <global> >> > <logall>yes</logall> >> > </global> >> > >> > >> > >> > <alerts> >> > <log_alert_level>0</log_alert_level> >> > <email_alert_level>0</email_alert_level> >> > </alerts> >> > >> > >> > stil I don't get all log information, i usually get logs regarding event >> > 3 >> > (mostly or higher). >> > >> > what else do I need to do, so OSSEC will log all events? >> > >> >> All log messages received by OSSEC should be in >> /var/ossec/logs/archives/archives.log. Not all log messages trigger an >> alert. >> > I see what you mean. > >> >> > Second question is about OpenVPN >> > >> > Can I gather openvpn events to OSSEC? >> >> If it logs to a file you can. > > > yes, it's ;logs the information I need, so it's just reading the openvpnlog >> >> >> > I tried the rules and decoders but thats just time wasting, >> >> Why is it a wate of time? > > > Because I spend a lot of time figuring this out and without results. >> >> >> > I really don't understand the OSSEC has not standard rules for such a >> > widely >> > used program !! >> >> Would you like to know why we don't have rules and decoders for >> OpenVPN? It's an easy answer: No one has written and contributed any. >> No one has bothered to even contribute log samples. I don't use it. >> None of the devs I've chatted with have mentioned it. It's hard to >> support something I don't have access to. >> >> Send me log samples, I'll do some work with it.Submit a pull request >> with decoders and rules, and I'll make sure they get in. Whine and >> I'll do nothing. >> > Sorry, I am not whining , it's just frustrating. > OpenVPN is widely used and I expected it to be in the list for the rules. > Anyway, I have a list of decoders and rules for openvpn, I can send them > also if you want, > but I would like to know if there is an easy way for OSSEC to read the > openvpn log files
Add localfile options pointing to the logfiles in the system's ossec.conf. Then restart the OSSEC processes. > I have even added the openvpn directory for the agent. > ANyway let me know if you need the decoders or rules and thx for the quick > reply. > If you want them included in OSSEC, submit a pull request on github (https://github.com/ossec/ossec-hids). Please include log samples, and if you have time a test file in contrib/ossec-testing/tests If you don't github, send them to me. I'll get them in. >> >> > anyway, what I want is that ossec also collects information from >> > openvpn, >> > for example, who logged on , which ip adress, failed logon attempts etc. >> > >> > Thx >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
