Generating alerts from ossec ( server- agent ) model

Posted by batman on Server Fault See other posts from Server Fault or by batman
Published on 2012-08-28T09:16:42Z Indexed on 2012/08/28 9:40 UTC
Read the original article Hit count: 279

Filed under:

ubuntu

|

ossec

I'm very new to OSSEC. I use a server-agent model. I wish to generate alert for the following actions ( in agent side ):

1) Sample Alert for delation of logs

I added the rules for these in agent's ossec.conf using <localfile> tags. Like this :

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/syslog</location>
  </localfile>

In my server's ossec.conf. I added the following :

<global>
    <email_notification>yes</email_notification>
    <email_to>xxxx@xxxxxx</email_to>
    <smtp_server>smtp.gmail.com</smtp_server>
    <email_from>xxxx@xxx</email_from>
  </global>

And I restarted my server. Now I tried to delete the agents syslog file using rm syslog. But no alerts has been triggered.

Where I'm making the mistake?

© Server Fault or respective owner

Related posts about ubuntu

Cannot update, apt-get cannot fetch index files

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I have a fresh install of Ubuntu 11.10 from the iso 'ubuntu-11.10-desktop-amd64.iso'. I installed this in VMWare Fusion 4.1.1 running on OSX 10.7.3. When setting up the VM, I allowed easy install to take care of creating my user and installing VMWare tools. No problems during installation, everything… >>> More
'sudo apt-get update' error on Ubuntu 12.04

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
When I type in 'sudo apt-get update' I get this mohd-arafat-hossain@TUD:~$ sudo apt-get update [sudo] password for mohd-arafat-hossain: Ign http://bd.archive.ubuntu.com precise InRelease Ign http://bd.archive.ubuntu.com precise-updates InRelease Ign http://bd.archive.ubuntu… >>> More
Opening Skype, Opera, OpenOffice logs me off

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
Whats common among Skype, Opera, OpenOffice in Ubuntu ? Whenever I open these applications I get logged off and shows back me the login screen. This started happening since the 10.10 upgrade. Forgot to mention : Yes, its x64.Each time I open these applications, the UI shows and then crashes. I… >>> More
Update information outdated

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I have a warning triangle that my update information is outdated, the last update was 12 days ago. I use Ubuntu 11.10. A run of sudo apt-get update produces the following output: Ign http://ppa.launchpad.net oneiric InRelease Ign http://de.archive.ubuntu.com oneiric InRelease … >>> More
ubuntu/apt-get update said "Failed to Fetch http:// .... 404 not found"

as seen on Server Fault - Search for 'Server Fault'
Hi all, I'm trying to run apt-get update on ubuntu 9.10 I've configured my proxy server and I can access the internet without any problem: /etc/apt# wget "http://www.google.com" Resolving (...) Proxy request sent, awaiting response... 200 OK Length: 292 [text/html] Saving to: `index.html' 100%[=================================================================================================================================>]… >>> More

Related posts about ossec

OSSEC agent behind NAT

as seen on Server Fault - Search for 'Server Fault'
I am working on an OSSEC deployment where I will have multiple agents behind 1 public IP. Below is an example of the setup Private Network OSSEC-Agent1 (192.168.1.10) OSSEC-Agent2 (192.168.50.33) OSSEC-Agent3 (10.10.10.1) Those IPs NAT to 1 public IP (1.1.1.1) … >>> More
OSSEC is not running

as seen on Server Fault - Search for 'Server Fault'
I have an two ec2 instances. In one I have installed ossec server and in other I have installed ossec agent. Here are my server config INBOUND (security group/firewall) : port:514 source:0.0.0.0/0 port:1514 source:0.0.0.0/0 But it seems to be not working. In my agent log file I keep on getting: 2012/08/28… >>> More
Generating alerts from ossec ( server- agent ) model

as seen on Server Fault - Search for 'Server Fault'
I'm very new to OSSEC. I use a server-agent model. I wish to generate alert for the following actions ( in agent side ): 1) Sample Alert for delation of logs I added the rules for these in agent's ossec.conf using <localfile> tags. Like this : <localfile> <log_format>syslog</log_format> … >>> More
OSSIM - Snort/OSSEC/Nagios Logging Config Question

as seen on Server Fault - Search for 'Server Fault'
Quick n00b OSSIM question. I've looked around but haven't found exactly what I'm looking for. I currently have a Nagios, OSSEC, Nessus, and Snort server and I want to keep those servers active but just ship the logs to the OSSIM server and have it do the correlating and graphing. Can that be done… >>> More
OSSEC : send alerts true gmail? how?

as seen on Server Fault - Search for 'Server Fault'
Try to setup OSSEC to use google gmail to send my alerts like so: <email_notification>yes</email_notification> <email_to>[email protected]</email_to> <smtp_server>smtp.gmail.com</smtp_server> <email_from>ossec@host</email_from> Then I set email alerts… >>> More