Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No kern.log, auth.log, mail.log in default localfile config for Debian family #221

Closed
lapwingcloud opened this issue Feb 26, 2020 · 2 comments
Closed

No kern.log, auth.log, mail.log in default localfile config for Debian family #221

lapwingcloud opened this issue Feb 26, 2020 · 2 comments
Assignees
@rshad
Labels
community
Projects
v3.12.0

Comments

@lapwingcloud
Copy link

When I use the wazuh-puppet module in Ubuntu 18.04, the default localfile config

<localfile>
  <log_format>syslog</log_format>
  <location>/var/log/syslog</location>
</localfile>
<localfile>
  <log_format>syslog</log_format>
  <location>/var/log/dpkg.log</location>
</localfile>
<localfile>
  <log_format>syslog</log_format>
  <location>/var/ossec/logs/active-responses.log</location>
</localfile>

<localfile>
  <log_format>command</log_format>
  <command>df -P</command>
  <frequency>360</frequency>
</localfile>
<localfile>
  <log_format>full_command</log_format>
  <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
  <alias>netstat listening ports</alias>
  <frequency>360</frequency>
</localfile>
<localfile>
  <log_format>full_command</log_format>
  <command>last -n 20</command>
  <frequency>360</frequency>
</localfile>

Which comes from manifests/params_manager.pp#L317

However kern.log auth.log mail.log did exist in Redhat default local files manifests/params_manager.pp#L375 and they used to exist in Debian default local files manifests/params.pp#L51

Also note that if I just sudo apt-get install wazuh-manager, the default config includes kern.log auth.log as well.

I think some rules rely on these log files, i.e. without these localfile configs these rules will never be triggered, right? For example

So what's the rationale behind removing these defaults?
Or they were removed by accident?
@rshad rshad self-assigned this Mar 10, 2020
@rshad
Copy link
Contributor

rshad commented Mar 10, 2020

Hi @jchenrev!

Thank you for your review. This way Wazuh gets improved by our community contributions.

I'll be comparing the list of the files included in wazuh-puppet configuration and the latest default config. from wazuh-manager and wazuh-agent.

Kr,

Rshad

@rshad
Copy link
Contributor

rshad commented Mar 24, 2020

Hi @jchenrev

The missing paths were added in 5bde8e3.

Kr,

Rshad

@rshad rshad closed this as completed Mar 24, 2020
@rshad rshad added this to To do in v3.12.0 via automation Mar 24, 2020
@rshad rshad added this to the Sprint-108 milestone Mar 24, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rshad rshad

Labels
community
Projects
No open projects
v3.12.0
  
To do
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lapwingcloud @rshad