Jephe Wu - http://linuxtechres.blogspot.com
Objective: use ossec hids to monitor system file changes realtime
Environment: CentOS 5, RHEL 5, Windows 2003 server
Steps:
1. Download ossec from http://www.ossec.net/main/downloads/
2. Install it on centralized monitoring server first(choose 'server' when installing ossec), this server can be rsyslog and nagios server too.
3. Install ossec on Linux server as agent or Windows server
4. Some commonds for managing agent authentication, stop/start service and realtime monitoring
a. on ossec server, run '/var/ossec/bin/manage_agents' to manage/extract keys for agents
b. on ossec agent, run '/var/ossec/bin/manage_agents' to import key from the server
c. run '/var/ossec/bin/ossec-control stop' or '/var/ossec/bin/ossec-control start' to stop/start services
d. realtime syscheck monitoring: (only works with directories, not individual files, so you can monitor /etc or c:\program files directory, not /etc/file.txt)
check this page: http://www.ossec.net/main/manual/manual-syscheck/realtime-file-integrity-monitoring/
or
http://www.ossec.net/doc/manual/syscheck/index.html
The configuration is very simple. In the
e. configuration and log files are under /var/ossec/ and c:\program files\ossec
Notes:
less than active-response greater then
less than disabled greater than yes less than /disabled greater than
less than active-response greater then
to /var/ossec/etc/ossec.conf
b. http://www.ossec.net/main/manual/manual-installation
c. OSSEC Wiki at http://www.ossec.net/wiki/OSSEC
6. FAQ
a. Why does ossec send me so many emails?
http://www.ossec.net/wiki/Know_How:Email_Alerts_below_7
b. You can configure strftime format in /var/ossec/etc/ossec.conf so that
ossec can monitor variable log file like this:
<localfile>
<log_format>syslog</log_format>
<location>/var/log/rsyslog/%Y/%m/%d/log1.log</location>
</localfile>
So after midnight, it will start to monitor new log file at the different path.
Posts
