Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ossec.conf changes #330

Closed
GoogleCodeExporter opened this issue Mar 24, 2015 · 1 comment
Closed

ossec.conf changes #330

GoogleCodeExporter opened this issue Mar 24, 2015 · 1 comment

Comments

@GoogleCodeExporter
Copy link

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

From Matthew Harmon:

/var/ossec/etc/ossec.conf

  <syscheck>
    <!-- Frequency that syscheck is executed -- 60sec*60min*7hr = 25200 -->
    <frequency>25200</frequency>

-- syscheck is extremely low I/O and 7 hours is "off by one" from a clean 
divisor of 24 hours. 

    <!-- Directories to check  (perform all possible verifications) -->
    <directories report_changes="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories report_changes="yes" check_all="yes">/bin,/sbin</directories>
    <directories report_changes="yes" check_all="yes">/var/ossec/etc</directories>

-- OSSEC should monitor its own /var/log/etc directory for changes, the 
addition of "report_changes" gives a very useful diff of the previous contents.

  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/apache2/ssl_access.log</location>
  </localfile>

-- Corrected filename, access.log doesn't exist, ssl_access.log does.

  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/apache2/error.log</location>
  </localfile>

-- error_log doesn't exist, error.log does

  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/apache2/xplico_access.log</location>
  </localfile>

-- xplico_access.log wasn't being monitored

  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/apache2/other_vhosts_access.log</location>
  </localfile>

-- other_vhosts_access.log wasn't being monitored

  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/apache2/snorby_access.log</location>
  </localfile>

-- snorby_access.log wasn't being monitored

  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/apache2/snorby_error.log</location>
  </localfile>

-- snorby_error.log wasn't being monitored. 

Original issue reported on code.google.com by doug.bu...@gmail.com on 1 May 2013 at 7:44

@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Published:
http://blog.securityonion.net/2014/09/new-ossec-hids-server-package-resolves.htm
l

Original comment by doug.bu...@gmail.com on 13 Sep 2014 at 2:40

  • Changed state: Verified
  • Added labels: ****
  • Removed labels: ****
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.