ossec.conf changes

[GoogleCodeExporter]

From Matthew Harmon:

/var/ossec/etc/ossec.conf

  <syscheck>
    <!-- Frequency that syscheck is executed -- 60sec*60min*7hr = 25200 -->
    <frequency>25200</frequency>

-- syscheck is extremely low I/O and 7 hours is "off by one" from a clean 
divisor of 24 hours. 

    <!-- Directories to check  (perform all possible verifications) -->
    <directories report_changes="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories report_changes="yes" check_all="yes">/bin,/sbin</directories>
    <directories report_changes="yes" check_all="yes">/var/ossec/etc</directories>

-- OSSEC should monitor its own /var/log/etc directory for changes, the 
addition of "report_changes" gives a very useful diff of the previous contents.

  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/apache2/ssl_access.log</location>
  </localfile>

-- Corrected filename, access.log doesn't exist, ssl_access.log does.

  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/apache2/error.log</location>
  </localfile>

-- error_log doesn't exist, error.log does

  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/apache2/xplico_access.log</location>
  </localfile>

-- xplico_access.log wasn't being monitored

  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/apache2/other_vhosts_access.log</location>
  </localfile>

-- other_vhosts_access.log wasn't being monitored

  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/apache2/snorby_access.log</location>
  </localfile>

-- snorby_access.log wasn't being monitored

  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/apache2/snorby_error.log</location>
  </localfile>

-- snorby_error.log wasn't being monitored. 

Original issue reported on code.google.com by doug.bu...@gmail.com on 1 May 2013 at 7:44