Re: [ossec-list] Syslog logs has to store Another file rather than archives.json

[dan (ddp)]

On Tue, Feb 18, 2020 at 4:44 AM Muhammed Ashique  wrote:
>
> Is there any way to store all syslog logs generated from Network Device into 
> different path ? . All Logs (agents,Devices) it is going to a single file 
> (archive.json) but i want to segregate only syslog logs has to come different 
> path and system logs has to in default path.  Instead of using syslog server 
> mechanism.
>

Not at this time. OSSEC's configuration and options for these things
are quite simplistic.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/3ffede20-112f-44dc-9ab3-6afb0cb50915%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMr1J%2Bp6k4Dwyo9CifMwz0w-0jL%3DQSJmOMFxW3gf6CC0nA%40mail.gmail.com.

Re: [ossec-list] Log firewall changes

[dan (ddp)]

On Tue, Feb 18, 2020 at 1:52 AM Schultheis Burkhard
 wrote:
>
> Hi,
>
> I want to get a message, when the ruleset of iptables gets modified. But
> I see that iptables doesn't log its changes. Or am I wrong?
>

I'm not aware of a log, but I'm far from an expert.

If you're running an OSSEC agent on the system, it should be easy to
add a command to watch for changes.
This is probably a naive command to run, but I'm not sure what a
better one would be at the moment.
This goes in the ossec.conf of the agent with the iptables
configuration you want to monitor.

  
full_command
iptables_check
iptables -nL
60
  

Every 60ish seconds the command "iptables -nL" is run. The contents of
this command are sent to the OSSEC server.

Then you create a rule to match this command in local_rules.xml.
Something like this:
 >> But the OSSEC failed to start. What's wrong? How to get the desired
> >> emails for firewall changes? It's OSSEC v3.3.0 on CentOS 6.10.
> >>
> > What do you mean by "a port is opened or closed in the firewall?" Do
> > you mean when a program is listening on a port,
> > or the ruleset is modified to allow traffic through a particular port?
> >
> > What type of firewall?
> >
> > I don't think "log" is a valid value for . Just remove the line.
> > You can look at the ossec.log on the server for more details as to why
> > it's failing.
> >
> >> Thanks in advance!
> >>
> >> Regards
> >> Burkhard
> >>
> >> --
> >>
> >> ---
> >> You received this message because you are subscribed to the Google Groups 
> >> "ossec-list" group.
> >> To unsubscribe from this group and stop receiving emails from it, send an 
> >> email to ossec-list+unsubscr...@googlegroups.com.
> >> To view this discussion on the web visit 
> >> https://groups.google.com/d/msgid/ossec-list/359319ec-a624-3014-710b-68b871fa514d%40web.de.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/54e1a186-73f1-aa03-afc0-8bc762b833b2%40gmail.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMrfwgfGs7n8EstEPH5VoWMYQVqS%3DyNuTuY%3Da3dEE%2Bzw4Q%40mail.gmail.com.

[ossec-list] Syslog logs has to store Another file rather than archives.json

[Muhammed Ashique]

Is there any way to store all syslog logs generated from Network Device 
into different path ? . All Logs (agents,Devices) it is going to a single 
file (archive.json) but i want to segregate only syslog logs has to come 
different path and system logs has to in default path.  Instead of using 
syslog server mechanism.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/3ffede20-112f-44dc-9ab3-6afb0cb50915%40googlegroups.com.