Comments on: Using OSSEC for Encrypted Log Transport

By: Michael Starks

Michael Starks — Mon, 04 Apr 2011 14:07:02 +0000

Well, if you enable logall, OSSEC will have analyzed all of those and then you could use another program to parse out the ones you are interested in. This is a bit different than the method I describe in the post. but it works fine.

By: Kat

Kat — Mon, 04 Apr 2011 12:47:22 +0000

What if you have, say 10 logs – 9 of which you want to actually “analyze” and the other one you simply want to send to the server to go stored in the DB for logging, as in syslog. So I still want to keep much of OSSEC doing what it does, and a small portion doing the logfile centralization…

Suggestions?

By: Suraj

Suraj — Tue, 22 Mar 2011 11:15:17 +0000

Hi, I’m trying to set this up as well (while keeping ossec analyzing logs). I’m trying to get the logs seperated by host, but all I get is one file with all logs. The syslog-ng logs seem to be following this format:

Mar 22 11:53:30 ossec-server 1:(remotehost) 1.2.3.4->/var/log/syslog:Mar 22 11:53:29 remotehost snmpd[1965]: Connection from UDP: [4.5.6.7]:55066

I suspect, the problem is caused by the first part and syslog can’t parse the full logline correctly, but maybe I’m doing something wrong here.

Do you have any clues?

Thanks in advance.

By: Michael Starks

Michael Starks — Tue, 01 Feb 2011 00:49:38 +0000

Hello tschack,

I’m glad you found the problem, but I wanted to comment in case anyone else runs into this. This can happen if you don’t edit ossec-control, and OSSEC and syslog-ng are both in contention for the queue. Whichever one is started last will win out.

Thanks,
Mike

By: tschack

tschack — Mon, 31 Jan 2011 17:46:08 +0000

Forget my post, I found my answer. Had a misconfiguration.

By: tschack

tschack — Mon, 31 Jan 2011 16:30:42 +0000

First, great post! Second, after I set this up, syslog-ng stopped separating the logs base on the server IP (“/var/log/syslog/servers/$HOST/$YEAR.$MONTH.$DAY.$FACILITY.log”). Everything is going to one log via OSSEC. Are you experiencing the same thing?

By: Michael Starks

Michael Starks — Sun, 30 Jan 2011 15:07:01 +0000

Hello Frank,

I am not that familiar with rsyslog, but I can’t imagine it wouldn’t be able to. As long as it can read a Unix socket it should be fine.

-Mike

By: Frank Daley

Frank Daley — Sat, 22 Jan 2011 11:53:43 +0000

Excellent idea!

Can rsyslog be configured to achieve the same result?

Frank

By: Community Updates

Community Updates — Mon, 15 Feb 2010 13:31:37 +0000

[...] Using OSSEC for Encrypted Log Transport Detecting Sensitive Info with OSSEC [...]

By: Interesting Information Security Bits for 02/01/2010 | Infosec Ramblings

Interesting Information Security Bits for 02/01/2010 | Infosec Ramblings — Tue, 02 Feb 2010 00:43:29 +0000

[...] cool. Encrypt your logs before sending them across the wire. Immutable Security >> Using OSSEC for Encrypted Log Transport Tags: ( logging encryption ossec [...]