1

I'm very new to OSSEC. I use a server-agent model. I wish to generate alert for the following actions ( in agent side ):

1) Sample Alert for delation of logs

I added the rules for these in agent's ossec.conf using <localfile> tags. Like this :

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/syslog</location>
  </localfile>

In my server's ossec.conf. I added the following :

<global>
    <email_notification>yes</email_notification>
    <email_to>xxxx@xxxxxx</email_to>
    <smtp_server>smtp.gmail.com</smtp_server>
    <email_from>xxxx@xxx</email_from>
  </global>

And I restarted my server. Now I tried to delete the agents syslog file using rm syslog. But no alerts has been triggered.

Where I'm making the mistake?

batman
  • 321
  • 1
  • 5
  • 10

1 Answers1

1

localfile is different from syscheck.

Open the /var/ossec/rules/syslog_rules.xml, you will see a bad words list:

<var name="BAD_WORDS">core_dumped|failure|error|attack|bad |illegal |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted|unresolved|Down</var>

Using logger command to creates an entry in system log:

$ logger connection failed

you can see this message in /var/log/syslog:

Aug 28 17:12:41 ubuntu quanta: connection failed

and get an email with following content:

OSSEC HIDS Notification.
2012 Aug 28 17:12:32

Received From: (Nagios_Slave_6.142) 192.168.6.142->/var/log/messages
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

    Aug 28 17:12:21 ubuntu quanta: connection failed



 --END OF NOTIFICATION
quanta
  • 50,327
  • 19
  • 152
  • 213
  • Oh! So I added like this `/var/log` to `syscheck`(in my agent side). I even did this `logger` command, which also working. But email is not triggered. I'm using here google's smtp server. Can you show me how you have configured your servers `` settings? – batman Aug 28 '12 at 10:24
  • Change the smtp server to `gmail-smtp-in.l.google.com` and try again. If it doesn't work, change to `127.0.0.1` and take a look at [this](http://www.cyberciti.biz/tips/linux-use-gmail-as-a-smarthost.html). – quanta Aug 28 '12 at 10:39
  • Cool that works. But I have a doubt. I specified the `syscheck` in my agent side. With the rule `/var/log`. So that means when I do `logger connection failed` I need to be alerted. But I didn't. I restarted my server, in this case a alert is generated stating that my server is started. But changing the `syslog` with `logger` doesn't seemed to be generating an alert. – batman Aug 28 '12 at 10:46
  • Dont' do that. You probably want to check integrity for only configuration files in `/etc`. – quanta Aug 28 '12 at 10:49
  • But my boss wants me to generate an alert for `Logs for New user creation`, `Sample Alert for delation of logs`, `wrong password alert log`. So I'm doing that. So adding `/var/log` in the `syscheck` is correct, as far these req concerned? – batman Aug 28 '12 at 11:00
  • 1
    You're doing wrong. Logs analysis should be place in `localfile` section, not `syscheck` (for integrity checking). By default, OSSEC has rules to detect some common actions by analysing important logs. For the particular pattern/action, write your own [rule](http://www.ossec.net/doc/manual/rules-decoders/create-custom.html). – quanta Aug 28 '12 at 11:06
  • Thanks! It is working now.. But I have my last doubt. Putting the required log files into `localfile` and making them fail will generate the alerts right? And also what is the rules for `localfile`? – batman Aug 28 '12 at 11:18
  • _Putting the required log files into localfile and making them fail will generate the alerts right?_ --> Yes, if the default rules contain your 'fail' pattern. _And also what is the rules for localfile?_ --> what do you mean? – quanta Aug 28 '12 at 16:30
  • For now I haven't specified any rules. But I'm following the format of `syslog` for monitoring my log files via `localfile`. – batman Aug 29 '12 at 05:50