I've installed OSSEC but it is not properly reading my logs. Most likely because it was made with the old-fashioned syslog in mind. There is a directive where I need to configure the log file (/var/ossec/etc/ossec.conf):
<localfile> <log_format>syslog</log_format> <location>/var/log/auth.log</location> </localfile>
I changed this to:
<localfile> <log_format>syslog</log_format> <location>journalctl</location> </localfile>
To test if things are working, I activated the following rule in /var/ossec/rules/sshd_rules.xml:
<rule id="5722" level="3"> <if_sid>5700</if_sid> <match>Connection closed</match> <description>ssh connection closed.</description> </rule>
Then, I force this entry into the log:
logger Connection closed by user 123
Which properly appears in journalctl:
Dec 31 11:03:45 server user: Connection closed by user 123
However, no mail is sent.
Mail alerts are configured for level 1 (while testing), and other mail alerts (like OSSEC startup) do arrive.
I really rather not use the old logging method; trying to move forward! Anybody any idea how to make OSSEC work with journalctl?