Difference between revisions of "CentOS 7.x Configure OSSEC server"

From Notes_Wiki
(Created page with "<yambe:breadcrumb>CentOS_7.x_OSSEC|CentOS 7.x OSSEC</yambe:breadcrumb> =CentOS 7.x Configure OSSEC server= ==Configuring alerts to go to specific email ID based on rule ID==...")
 
m
Line 40: Line 40:
                     ...some other global settings...
                     ...some other global settings...
             </global>
             </global>
<pre>
</pre>
This would cause logs to get stored at '<tt>/var/ossec/logs/archives/archives.log</tt>' location in OSSEC server.
This would cause logs to get stored at '<tt>/var/ossec/logs/archives/archives.log</tt>' location in OSSEC server.



Revision as of 16:23, 2 August 2017

<yambe:breadcrumb>CentOS_7.x_OSSEC|CentOS 7.x OSSEC</yambe:breadcrumb>

CentOS 7.x Configure OSSEC server

Configuring alerts to go to specific email ID based on rule ID

If you need email alerts of specific rule IDs to go to different email ID then use following configuratoin in global section of '/var/ossec/etc/ossec.conf'

 <email_alerts>
  <email_to><email-ID></email_to>
  <rule_id><rule-id-list></rule_id> 
  <level>7</level>
  <do_not_delay />
 </email_alerts>

For example:

 <email_alerts>
  <email_to>doesnotexists@gmail.com<email-ID></email_to>
  <rule_id>550,553</rule_id> 
  <level>7</level>
  <do_not_delay />
 </email_alerts>
 <email_alerts>
  <email_to>thisisalsowrong@gmail.com</email_to>
  <rule_id>554,557</rule_id> 
  <level>7</level>
  <do_not_delay />
 </email_alerts>


Configure central logging for windows

To forward all windows event logs to OSSEC for central logging, add logall directive to global section of '/var/ossec/etc/ossec.conf'. For example

            <global>
                    ...some other global settings...
                    <logall>yes</logall>
                    ...some other global settings...
            </global>

This would cause logs to get stored at '/var/ossec/logs/archives/archives.log' location in OSSEC server.


Generate alert for new files for monitored directories

If OSSEC agent on client is configured to monitor a directory in realtime as explained at CentOS 7.x Configure Windows agent then to generate alerts for new files in those directories, OSSEC server can be configured as follows:

  1. For email/alert, please enter below line under syscheck section in '/var/ossec/etc/ossec.conf'.
    <syscheck>
    <alert_new_files>yes</alert_new_files>
    </syscheck>
    This will cause OSSEC to generate alert whenever a new file is detected with file integrity checker option. Corresponding email will also be sent.

Please note that modification of existing important file is treated as an alert (including email) by default. We do not need any special server side configuration for monitored file modification alerts.



<yambe:breadcrumb>CentOS_7.x_OSSEC|CentOS 7.x OSSEC</yambe:breadcrumb>