You are not logged in.
I've installed OSSEC but it is not properly reading my logs. Most likely because it was made with the old-fashioned syslog in mind. There is a directive where I need to configure the log file (/var/ossec/etc/ossec.conf):
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
I changed this to:
<localfile>
<log_format>syslog</log_format>
<location>journalctl</location>
</localfile>
To test if things are working, I activated the following rule in /var/ossec/rules/sshd_rules.xml:
<rule id="5722" level="3">
<if_sid>5700</if_sid>
<match>Connection closed</match>
<description>ssh connection closed.</description>
</rule>
Then, I force this entry into the log:
logger Connection closed by user 123
Which properly appears in journalctl:
Dec 31 11:03:45 server user[2920]: Connection closed by user 123
However, no mail is sent.
Mail alerts are configured for level 1 (while testing), and other mail alerts (like OSSEC startup) do arrive.
I really rather not use the old logging method; trying to move forward! Anybody any idea how to make OSSEC work with journalctl?
Offline