If I understand, when I turning logall option, all the logs of all the commands configured in the agents send yours outputs to the server, right?
How can this affect the performance on the ossec server? Just I need the last command output. -----Mensaje original----- De: [email protected] [mailto:[email protected]] En nombre de dan (ddp) Enviado el: miércoles, 05 de octubre de 2016 10:01 a.m. Para: [email protected] Asunto: Re: [ossec-list] last -10 On Wed, Oct 5, 2016 at 10:59 AM, Adiel Navarro <[email protected]> wrote: > Sure, I restarted the services on the ossec server. > > How can I turning log_all option? > > Do you have any example? > Sorry, it's "logall" not "log_all." https://ossec.github.io/docs/syntax/head_ossec_config.global.html?highlight=logall#element-logall > Actually, I see that in var/ossec/logs/archives/archives.log on the server... > > drwxr-x--- 8 ossec ossec 4096 Oct 1 00:00 2016 > -rw-r----- 2 ossec ossec 0 Oct 5 00:00 archives.log > > > > > -----Mensaje original----- > De: [email protected] [mailto:[email protected]] > En nombre de dan (ddp) Enviado el: miércoles, 05 de octubre de 2016 09:40 a.m. > Para: [email protected] > Asunto: Re: [ossec-list] last -10 > > On Wed, Oct 5, 2016 at 10:37 AM, Adiel Navarro > <[email protected]> wrote: >> No, the rule is not commented. >> Meanwhile, I delete the --> sign... >> > > Did you restart the OSSEC processes on the server? > You can try turning the log_all option on and check the archives.log to make > sure your match will actually match the log messages sent over. I usually use > aliases to make this easier. > Also, make sure the output changes. If there are no changes, there will be no > alert. > >> >> >> -----Mensaje original----- >> De: [email protected] [mailto:[email protected]] >> En nombre de dan (ddp) Enviado el: miércoles, 05 de octubre de 2016 09:25 >> a.m. >> Para: [email protected] >> Asunto: Re: [ossec-list] last -10 >> >> On Wed, Oct 5, 2016 at 10:15 AM, Adiel Navarro >> <[email protected]> wrote: >>> Sure, >>> I configured the next rule in local_rules.xml on the ossec server: >>> >>> <rule id="140126" level="7"> >>> <if_sid>530</if_sid> >>> <match>ossec: output: 'last -10 </match> >>> <check_diff /> >>> <description>Last connections. </description> </rule> --> >>> >> >> The "-->" marks the end of a comment. Could you possibly have the rule >> currently commented out? >> >>> >>> L.I. Adiel Jesús Navarro Rosado >>> Analista OyM Seguridad Operativa >>> A: [email protected] >>> '. Ext. 5179 >>> È: 5510101509 >>> >>> >>> -----Mensaje original----- >>> De: [email protected] [mailto:[email protected]] >>> En nombre de dan (ddp) Enviado el: miércoles, 05 de octubre de 2016 06:22 >>> a.m. >>> Para: [email protected] >>> Asunto: Re: [ossec-list] last -10 >>> >>> On Tue, Oct 4, 2016 at 6:21 PM, Aj Navarro <[email protected]> wrote: >>>> i want to monitoring the last connections on a server. >>>> >>>> I configuring last -10 command on a ossec.conf client >>>> >>>> <localfile> >>>> <log_format>full_command</log_format> >>>> <command>last 10</command> >>>> <frequency>60</frequency> >>>> </localfile> >>>> I need that the output of this command will send to the ossec >>>> server, but I not watching any alert on the ossec wui. >>>> >>>> can i need to configure anything else on the client or on the ossec server? >>>> >>>> >>> >>> Did you create a rule to look for the information coming from the command? >>> >>>> >>>> >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, >>>> send an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
