Thanks for stopping by. In order to help you most effectively, I’ll need to see your ossec.conf, etc. This is best handled by the users mailing list, so please create a new post there.

-Mike

I wanted to check in and see if the bug you referenced has been fixed with OSSEC? I have some Oracle 11g databases that currently write audit events to the DB itself. I’m considering switching to syslog or XML output, and thus wanted to check in and see how far you made it before I try to re-invent the wheel.

Obviously you decided to go with syslog format. Did you do any trades to figure out if it was worth trying to write a multi-line decoder for Oracle’s XML audit logs, or didn’t you see much benefit in the additional fields?

1) there is no section in the ossec.conf file on my agent machine.

2) when I run your start shell script I get the following errors for all of the additional instanced of ossec.

just as a note I have names eth0, eth0:1, eth0:2, eth1, eth1:1 and eth1:2 for my additional ips but could not eneter them anywhere since there’s no remote section to be found in the ossec.conf file

ideas why?

[root@marine init.d]# ./ossec.sh start
Starting OSSEC at /var/ossec6: 2012/01/08 17:44:33 ossec-syscheckd(1702): INFO: No directory provided for syscheck to monitor.
/var/ossec6/bin/ossec-control: line 138: 8627 Segmentation fault ${DIR}/bin/${i}
[FAILED]
Starting OSSEC at /var/ossec: [ OK ]
Starting OSSEC at /var/ossec2: 2012/01/08 17:44:35 ossec-syscheckd(1702): INFO: No directory provided for syscheck to monitor.
/var/ossec2/bin/ossec-control: line 138: 8691 Segmentation fault ${DIR}/bin/${i}
[FAILED]
Starting OSSEC at /var/ossec3: 2012/01/08 17:44:35 ossec-syscheckd(1702): INFO: No directory provided for syscheck to monitor.
/var/ossec3/bin/ossec-control: line 138: 8720 Segmentation fault ${DIR}/bin/${i}
[FAILED]
Starting OSSEC at /var/ossec4: 2012/01/08 17:44:36 ossec-syscheckd(1702): INFO: No directory provided for syscheck to monitor.
/var/ossec4/bin/ossec-control: line 138: 8749 Segmentation fault ${DIR}/bin/${i}
[FAILED]
Starting OSSEC at /var/ossec5: 2012/01/08 17:44:36 ossec-syscheckd(1702): INFO: No directory provided for syscheck to monitor.
/var/ossec5/bin/ossec-control: line 138: 8778 Segmentation fault ${DIR}/bin/${i}
[FAILED]
Starting OSSEC at /var/ossec6: 2012/01/08 17:44:36 ossec-syscheckd(1702): INFO: No directory provided for syscheck to monitor.
/var/ossec6/bin/ossec-control: line 138: 8813 Segmentation fault ${DIR}/bin/${i}
[FAILED]
[root@marine init.d]#
[root@marine init.d]#

I think it would be best to run a script on the manager side through cron or something that searched archives.log or alerts.log. Then again, maybe if you just searched for the particular rule ID for the daily reports, that could work, too.

Nice posts, and I really liked this one. Such a rare Saturday when I have time to read through interesting blogs!

Sincerely,
Betty Pierce
ISSA Professional Ethics Committee Corresponding Secretary

In terms of a ninja, this would be nice to do…

Detecting outdated web applications with OSSEC question

RE: http://dcid.me/2011/09/detecting-outdated-web-applications-with-ossec/

Is there a way for each agent that detects outdated web applications that in addition to the email alert the ossec server sends out, the agent could pipe the information to a file that can be included in the client’s logwatch report?

Thank you.