CentOS 7.x Configure OSSEC server

From Notes_Wiki
Revision as of 09:37, 25 August 2022 by Saurabh (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Home > CentOS > CentOS 7.x > Security Tools > CentOS 7.x OSSEC > CentOS 7.x Configure OSSEC server

Configuring alerts to go to specific email ID based on rule ID

If you need email alerts of specific rule IDs to go to different email ID then use following configuratoin in global section of '/var/ossec/etc/ossec.conf'

 <email_alerts>
  <email_to><email-ID></email_to>
  <rule_id><rule-id-list></rule_id> 
  <level>7</level>
  <do_not_delay />
 </email_alerts>

For example:

 <email_alerts>
  <email_to>doesnotexists@gmail.com<email-ID></email_to>
  <rule_id>550,553</rule_id> 
  <level>7</level>
  <do_not_delay />
 </email_alerts>
 <email_alerts>
  <email_to>thisisalsowrong@gmail.com</email_to>
  <rule_id>554,557</rule_id> 
  <level>7</level>
  <do_not_delay />
 </email_alerts>


Configure central logging for windows

To forward all windows event logs to OSSEC for central logging, add logall directive to global section of '/var/ossec/etc/ossec.conf'. For example

            <global>
                    ...some other global settings...
                    <logall>yes</logall>
                    ...some other global settings...
            </global>

This would cause logs to get stored at '/var/ossec/logs/archives/archives.log' location in OSSEC server.


Generate alert for new files for monitored directories

If OSSEC agent on client is configured to monitor a directory in realtime as explained at CentOS 7.x Configure Windows agent then to generate alerts for new files in those directories, OSSEC server can be configured as follows:

  1. For email/alert, please enter below line under syscheck section in '/var/ossec/etc/ossec.conf'.
    <syscheck>
    <alert_new_files>yes</alert_new_files>
    </syscheck>
    This will cause OSSEC to generate alert whenever a new file is detected with file integrity checker option. Corresponding email will also be sent.

Please note that modification of existing important file is treated as an alert (including email) by default. We do not need any special server side configuration for monitored file modification alerts.



Steps contributed by Pavan Ponamala


Home > CentOS > CentOS 7.x > Security Tools > CentOS 7.x OSSEC > CentOS 7.x Configure OSSEC server