Login or Register to Ask a Question and Join Our Community


Red Hat

Regding OSSEC

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Operating Systems Linux Red Hat Regding OSSEC
# 1  
Old 05-07-2012
Regding OSSEC
FYI...

Installed OSSEC server version 2.6 in Cent OS 6.2 and agents are web servers

installed in chroot environment.

Moreover ossec server and apache (web servers are agents) are installed in separate machines.


In ossec.conf file, added below configuration in both server and agent.

<localfile>
<log_format>syslog</log_format>
<location>/chroot/site/usr/local/apache/logs/error_log</location>
</localfile>


Already in decoder.xml and in rules folder apache related configuration is set

by default.


Problem : Ossec is not working for apache logs, not even generating


mails related to Apache errors , rest of the ossec part is working as needed.

Please guide me what has to be done to solve the issue.
Login or Register to Ask a Question

Previous Thread | Next Thread

1 More Discussions You Might Find Interesting

1. Cybersecurity

Not being able to run SYSCHEKD in OSSEC local (HIDS)

I am newbee to OSSEC. My objective is to install OSSEC in a ubuntu 10.04 server, configure it and then install rootkits, tamper files and then scan for possible notification and alerts. BUT I tired and then changed few setting in ossec.conf but its nearly similar to default setting. After... (1 Reply)
Discussion started by: metalaarif
1 Replies
Login or Register to Ask a Question

LEARN ABOUT DEBIAN

mergelogs

MERGELOGS(1)						      General Commands Manual						      MERGELOGS(1)

NAME

       mergelogs - merge and consolidate web server logs

SYNOPSIS

       mergelogs -p penlog [-c] [-d] [-j jitter] [-t seconds] server1:logfile1 [server2:logfile2 ...]

EXAMPLES

       mergelogs -p pen.log 10.0.0.1:access_log.1 10.0.0.2:access_log.2

       mergelogs -p pen.log 10.0.18.6:access_log-10.0.18.6 10.0.18.8:access_log-10.0.18.8

DESCRIPTION

       When pen is used to load balance web servers, the web server log file lists all accesses as coming from the host running pen. This makes it
       more difficult to analyze the log file.

       To solve this, pen creates its own log file, which contains the real client address, the time of the access, the target server address  and
       the first few bytes of the requests.

       Mergelogs reads pen's log file and the log files of all load balanced web servers, compares each entry and creates a combined log file that
       looks as if the web server cluster were a single physical server.  Client addresses are replaced with the real client addresses.

       In the event that no matching client address can be found in the pen log, the server address is used instead. This should never happen, and
       is  meant  as  a debugging tool. A large number of these indicates that the server system date needs to be set, or that the jitter value is
       too small.

       You probably don't want to use this program. Penlog is a much more elegant and functional solution.

OPTIONS

       -c     Do not cache pen log entries. The use of this option is not recommended, as it will make mergelogs search the  entire  pen  log  for
	      every line in the web server logs.

       -d     Debugging (repeat for more).

       -p penlog
	      Log file from pen.

       -j jitter
	      Jitter  in  seconds (default 600). This is the maximum variation in time stamps in the pen and web server log files. A smaller value
	      will result in a smaller pen log cache and faster processing, at the risk of missed entries.

       -t seconds
	      The difference in seconds between the time on the pen server and UTC.  For example, this is 7200 (two hours) in Finland.

       server:logfile
	      Web server address and name of log file.

AUTHOR

       Copyright (C) 2001-2003 Ulric Eriksson, <ulric@siag.nu>.

SEE ALSO

       pen(1), webresolve(1), penlog(1), penlogd(1)

								       LOCAL							      MERGELOGS(1)