Difference between revisions of "CentOS 7.x Configure OSSEC server"

From Notes_Wiki
m
m
Line 1: Line 1:
<yambe:breadcrumb>CentOS_7.x_OSSEC|CentOS 7.x OSSEC</yambe:breadcrumb>
<yambe:breadcrumb self="Configure OSSEC server">CentOS_7.x_OSSEC|OSSEC</yambe:breadcrumb>
=CentOS 7.x Configure OSSEC server=
=CentOS 7.x Configure OSSEC server=


Line 63: Line 63:
Steps contributed by Pavan Ponamala
Steps contributed by Pavan Ponamala


<yambe:breadcrumb>CentOS_7.x_OSSEC|CentOS 7.x OSSEC</yambe:breadcrumb>
<yambe:breadcrumb self="Configure OSSEC server">CentOS_7.x_OSSEC|OSSEC</yambe:breadcrumb>

Revision as of 11:18, 27 January 2019

<yambe:breadcrumb self="Configure OSSEC server">CentOS_7.x_OSSEC|OSSEC</yambe:breadcrumb>

CentOS 7.x Configure OSSEC server

Configuring alerts to go to specific email ID based on rule ID

If you need email alerts of specific rule IDs to go to different email ID then use following configuratoin in global section of '/var/ossec/etc/ossec.conf'

 <email_alerts>
  <email_to><email-ID></email_to>
  <rule_id><rule-id-list></rule_id> 
  <level>7</level>
  <do_not_delay />
 </email_alerts>

For example:

 <email_alerts>
  <email_to>doesnotexists@gmail.com<email-ID></email_to>
  <rule_id>550,553</rule_id> 
  <level>7</level>
  <do_not_delay />
 </email_alerts>
 <email_alerts>
  <email_to>thisisalsowrong@gmail.com</email_to>
  <rule_id>554,557</rule_id> 
  <level>7</level>
  <do_not_delay />
 </email_alerts>


Configure central logging for windows

To forward all windows event logs to OSSEC for central logging, add logall directive to global section of '/var/ossec/etc/ossec.conf'. For example

            <global>
                    ...some other global settings...
                    <logall>yes</logall>
                    ...some other global settings...
            </global>

This would cause logs to get stored at '/var/ossec/logs/archives/archives.log' location in OSSEC server.


Generate alert for new files for monitored directories

If OSSEC agent on client is configured to monitor a directory in realtime as explained at CentOS 7.x Configure Windows agent then to generate alerts for new files in those directories, OSSEC server can be configured as follows:

  1. For email/alert, please enter below line under syscheck section in '/var/ossec/etc/ossec.conf'.
    <syscheck>
    <alert_new_files>yes</alert_new_files>
    </syscheck>
    This will cause OSSEC to generate alert whenever a new file is detected with file integrity checker option. Corresponding email will also be sent.

Please note that modification of existing important file is treated as an alert (including email) by default. We do not need any special server side configuration for monitored file modification alerts.



Steps contributed by Pavan Ponamala

<yambe:breadcrumb self="Configure OSSEC server">CentOS_7.x_OSSEC|OSSEC</yambe:breadcrumb>