On Mon, Aug 24, 2015 at 10:40 AM, Edward Ned Harvey <[email protected]> wrote: > I am a little confused about exactly what ossec is, and what I should expect > from it. > > I have two use cases: > > (1) A standalone web server, running httpd, mysqld, and a few other services > (sshd, etc). We could monitor logs via logwatch, but it alerts us to normal > stuff like 404 responses served by httpd, and it's not straightforward how > to configure it, and it runs via cron. We would like to have a live system > monitoring logs on the fly, alerting us about actual things that need > attention - server out of memory error, but not 404 error, etc. >
This is configurable in OSSEC. You can alert on 404s, or ignore them. You can alert on "excessive" log messages in short time frames (100 404s from the same client in 2 minutes). If there is a log alerting you of memory issues you can easily alert on it, but if you want to test the output of `free` against predetermined thresh holds it gets tougher. You essentially have to write a script that logs an error message that OSSEC can alert on. > (2) A bunch of servers, that already have zabbix, serverdensity, or similar > running, but alerts are mostly about system status, not log processing. We'd > like to add log monitoring. > OSSEC can monitor logs, and alert on what you have configured it to alert on. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
