OSSEC by default does not read from it's log (ossec.log or active-response.log), you can add them with localfile option.
Regarding to the rules you posted, OSSEC triggers them internally, there is no specific log for roocheck or syscheck, when the process ends, OSSEC use "SendMSG" function to add the event to a queue which ossec-analysisd will read. 515 rule has no errors, every rootcheck alerts depends on 510 rule (general rootcheck alert) which depend on 509 (rootcheck event). Regards, Pedro S. On Monday, February 22, 2016 at 5:39:09 PM UTC+1, [email protected] wrote: > > And one more question: how ossec work with it's logs? > > Should i add to to ossec.conf something like this, or ossec send it's log > messages direct, without using logfiles ? > <localfile> > <log_format>syslog</log_format> > <location>/var/ossec/logs/ossec.log</location> > </localfile> > > In file rules/ossec_rules.xml we can found this definitions: > <rule id="509" level="0"> > <category>ossec</category> > <decoded_as>rootcheck</decoded_as> > <description>Rootcheck event.</description> > <group>rootcheck,</group> > </rule> > > <rule id="510" level="7"> > <if_sid>509</if_sid> > <description>Host-based anomaly detection event > (rootcheck).</description> > <group>rootcheck,</group> > <if_fts /> > </rule> > <rule id="515" level="0"> > <if_sid>510</if_sid> > <match>^Starting rootcheck scan|^Ending rootcheck scan.|</match> > <match>^Starting syscheck scan|^Ending syscheck scan.</match> > <description>Ignoring rootcheck/syscheck scan messages.</description> > <group>rootcheck,syscheck</group> > </rule> > > > Why 515 rule depends on 510 ? > Is this an error ? > > понедельник, 22 февраля 2016 г., 17:37:18 UTC+3 пользователь > [email protected] написал: >> >> Hello! >> I want to send only changed filenames, like it in email(see below) ? >> >> Is there're any way, to avoid waiting rule 515 with "Ending syscheck scan" >> and parse all logs by hands ? >> >> Thank you! >> >> ---------- email message with aggregation multiple events to a single >> email ---------------- >> OSSEC HIDS Notification. >> 2016 Feb 22 06:10:15 >> >> Received From: serv-10244->syscheck >> Rule: 550 fired (level 7) -> "Integrity checksum changed." >> Portion of the log(s): >> >> Integrity checksum changed for: '/home/woodwork/public_html/ >> xc4dev/var/templates_c/c7659adfadb0a34875da46831ecaa5 >> 4e/%%10^10D^10D3B5F4%%import_export.tpl.php' >> Old md5sum was: 'dceb399d30e95119919656e661204554' >> New md5sum is : '81245ed3dd02f3406eb8a2fed54d9942' >> Old sha1sum was: '7d76c4a8134f64290c14706f15e7c7a28256fc51' >> New sha1sum is : '539cf636a958d88a3e8f1f8fbb468716a9a0a6d1' >> >> >> >> --END OF NOTIFICATION >> >> >> >> OSSEC HIDS Notification. >> 2016 Feb 22 06:10:15 >> >> Received From: serv-10244->syscheck >> Rule: 550 fired (level 7) -> "Integrity checksum changed." >> Portion of the log(s): >> >> Integrity checksum changed for: '/home/woodwork/public_html/ >> xc4dev/var/templates_c/c7659adfadb0a34875da46831ecaa5 >> 4e/%%C3^C39^C3917CB7%%zipcode.tpl.php.md5' >> Old md5sum was: '893a40c51c7f8bf5be98319a30c05a18' >> New md5sum is : '94a2aab9fc50d05b6838e2bff772ee75' >> Old sha1sum was: '092003613f24ac04e5214dc24d1dcb0494dbca03' >> New sha1sum is : 'ed5607668955e07bedc7529f1f18843e174fdcf1' >> >> >> >> --END OF NOTIFICATION >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
