You are not logged in.

#1 2012-12-31 13:06:34

george55
Member
Registered: 2011-08-10
Posts: 68

Installing OSSEC to read the journalctl log

I've installed OSSEC but it is not properly reading my logs. Most likely because it was made with the old-fashioned syslog in mind. There is a directive where I need to configure the log file (/var/ossec/etc/ossec.conf):

   <localfile> 
     <log_format>syslog</log_format> 
     <location>/var/log/auth.log</location> 
   </localfile>

I changed this to:

   <localfile> 
     <log_format>syslog</log_format> 
     <location>journalctl</location> 
   </localfile>

To test if things are working, I activated the following rule in /var/ossec/rules/sshd_rules.xml:

   <rule id="5722" level="3">
     <if_sid>5700</if_sid>
     <match>Connection closed</match>
     <description>ssh connection closed.</description>
   </rule>

Then, I force this entry into the log:

logger Connection closed by user 123

Which properly appears in journalctl:

Dec 31 11:03:45 server user[2920]: Connection closed by user 123

However, no mail is sent.

Mail alerts are configured for level 1 (while testing), and other mail alerts (like OSSEC startup) do arrive.

I really rather not use the old logging method; trying to move forward! Anybody any idea how to make OSSEC work with journalctl?

Offline

Board footer

Powered by FluxBB