Regding OSSEC

Discussion in 'General Linux' started by vamsi_k, May 7, 2012.

  1. vamsi_k

    vamsi_k New Member

    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    0
    FYI...

    Installed OSSEC server version 2.6 in Cent OS 6.2 and agents are web servers


    installed in chroot environment.

    Moreover ossec server and apache (web servers are agents) are installed in separate machines.


    In ossec.conf file, added below configuration in both server and agent.

    <localfile>
    <log_format>syslog</log_format>
    <location>/chroot/site/usr/local/apache/logs/error_log</location>
    </localfile>


    Already in decoder.xml and in rules folder apache related configuration is set

    by default.


    Problem : Ossec is not working for apache logs, not even generating


    mails related to Apache errors , rest of the ossec part is working as needed.

    Please guide me what has to be done to solve the issue.
  2. Stefano Messicano

    Stefano Messicano New Member

    Messages:
    88
    Likes Received:
    1
    Trophy Points:
    0
    My guess is that Apache is running outside of the chroot environment, so the OSSEC agents can't see the logs. Try running OSSEC in a virtual machine that can still access the system running the Apache server, or if in the chroot environment, treat the root system as a remote system, even if you use localhost as the system address.
  3. vamsi_k

    vamsi_k New Member

    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    0

    Ossec and apache are installed in separate machines, in such a way that ossec can access apache as needed.

    Note : Only apache is installed in chroot environment.

    Moreover please let me know what has to cross checked to solve this part.
  4. ehansen

    ehansen New Member Staff Writer

    Messages:
    115
    Likes Received:
    11
    Trophy Points:
    0
    So, is OSSEC in a chroot environment as well, or no? What you said originally contradicts your newer statement. However, this makes a big difference.

    How is OSSEC set up, exactly? You should have an OSSEC server set up on one machine, and a sensor/agent set up on the Apache machine. If this is correct, then the sensor should not be chroot'ed, but should have access rights to Apache's logs.

    Sounds like a permissions issue for Apache's logs myself. What's the output when you run this command:
    It could be that OSSEC just does not have access rights to either /chroot or some subdirectory of that. Espcially if OSSEC is working correctly everywhere else.

Share This Page