On Wed, Oct 5, 2016 at 10:59 AM, Adiel Navarro <[email protected]> wrote: > Sure, I restarted the services on the ossec server. > > How can I turning log_all option? > > Do you have any example? >
Sorry, it's "logall" not "log_all." https://ossec.github.io/docs/syntax/head_ossec_config.global.html?highlight=logall#element-logall > Actually, I see that in var/ossec/logs/archives/archives.log on the server... > > drwxr-x--- 8 ossec ossec 4096 Oct 1 00:00 2016 > -rw-r----- 2 ossec ossec 0 Oct 5 00:00 archives.log > > > > > -----Mensaje original----- > De: [email protected] [mailto:[email protected]] En > nombre de dan (ddp) > Enviado el: miércoles, 05 de octubre de 2016 09:40 a.m. > Para: [email protected] > Asunto: Re: [ossec-list] last -10 > > On Wed, Oct 5, 2016 at 10:37 AM, Adiel Navarro > <[email protected]> wrote: >> No, the rule is not commented. >> Meanwhile, I delete the --> sign... >> > > Did you restart the OSSEC processes on the server? > You can try turning the log_all option on and check the archives.log to make > sure your match will actually match the log messages sent over. I usually use > aliases to make this easier. > Also, make sure the output changes. If there are no changes, there will be no > alert. > >> >> >> -----Mensaje original----- >> De: [email protected] [mailto:[email protected]] >> En nombre de dan (ddp) Enviado el: miércoles, 05 de octubre de 2016 09:25 >> a.m. >> Para: [email protected] >> Asunto: Re: [ossec-list] last -10 >> >> On Wed, Oct 5, 2016 at 10:15 AM, Adiel Navarro >> <[email protected]> wrote: >>> Sure, >>> I configured the next rule in local_rules.xml on the ossec server: >>> >>> <rule id="140126" level="7"> >>> <if_sid>530</if_sid> >>> <match>ossec: output: 'last -10 </match> >>> <check_diff /> >>> <description>Last connections. </description> </rule> --> >>> >> >> The "-->" marks the end of a comment. Could you possibly have the rule >> currently commented out? >> >>> >>> L.I. Adiel Jesús Navarro Rosado >>> Analista OyM Seguridad Operativa >>> A: [email protected] >>> '. Ext. 5179 >>> È: 5510101509 >>> >>> >>> -----Mensaje original----- >>> De: [email protected] [mailto:[email protected]] >>> En nombre de dan (ddp) Enviado el: miércoles, 05 de octubre de 2016 06:22 >>> a.m. >>> Para: [email protected] >>> Asunto: Re: [ossec-list] last -10 >>> >>> On Tue, Oct 4, 2016 at 6:21 PM, Aj Navarro <[email protected]> wrote: >>>> i want to monitoring the last connections on a server. >>>> >>>> I configuring last -10 command on a ossec.conf client >>>> >>>> <localfile> >>>> <log_format>full_command</log_format> >>>> <command>last 10</command> >>>> <frequency>60</frequency> >>>> </localfile> >>>> I need that the output of this command will send to the ossec >>>> server, but I not watching any alert on the ossec wui. >>>> >>>> can i need to configure anything else on the client or on the ossec server? >>>> >>>> >>> >>> Did you create a rule to look for the information coming from the command? >>> >>>> >>>> >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, >>>> send an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
