Skip to content
This repository has been archived by the owner on Apr 16, 2021. It is now read-only.

ossec.conf changes #330

Closed
GoogleCodeExporter opened this issue Mar 24, 2015 · 1 comment
Closed

ossec.conf changes #330

GoogleCodeExporter opened this issue Mar 24, 2015 · 1 comment

Comments

@GoogleCodeExporter
Copy link

From Matthew Harmon:

/var/ossec/etc/ossec.conf

  <syscheck>
    <!-- Frequency that syscheck is executed -- 60sec*60min*7hr = 25200 -->
    <frequency>25200</frequency>

-- syscheck is extremely low I/O and 7 hours is "off by one" from a clean 
divisor of 24 hours. 

    <!-- Directories to check  (perform all possible verifications) -->
    <directories report_changes="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories report_changes="yes" check_all="yes">/bin,/sbin</directories>
    <directories report_changes="yes" check_all="yes">/var/ossec/etc</directories>

-- OSSEC should monitor its own /var/log/etc directory for changes, the 
addition of "report_changes" gives a very useful diff of the previous contents.

  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/apache2/ssl_access.log</location>
  </localfile>

-- Corrected filename, access.log doesn't exist, ssl_access.log does.

  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/apache2/error.log</location>
  </localfile>

-- error_log doesn't exist, error.log does

  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/apache2/xplico_access.log</location>
  </localfile>

-- xplico_access.log wasn't being monitored

  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/apache2/other_vhosts_access.log</location>
  </localfile>

-- other_vhosts_access.log wasn't being monitored

  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/apache2/snorby_access.log</location>
  </localfile>

-- snorby_access.log wasn't being monitored

  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/apache2/snorby_error.log</location>
  </localfile>

-- snorby_error.log wasn't being monitored. 

Original issue reported on code.google.com by doug.bu...@gmail.com on 1 May 2013 at 7:44

@GoogleCodeExporter
Copy link
Author

Published:
http://blog.securityonion.net/2014/09/new-ossec-hids-server-package-resolves.htm
l

Original comment by doug.bu...@gmail.com on 13 Sep 2014 at 2:40

  • Changed state: Verified
  • Added labels: ****
  • Removed labels: ****

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

1 participant