How to save Host ids ossec log files to MYSQL
OSSEC Series II-write your own DECODE (Elementary)
OssecYou can check the file, including whether the file is modified and the modified content.(Normal means, sometimes)And file attributes.
For file monitoring, in the OSSEC. CONF file
<Ossec_config>
<Syscheck>
.... File monitoring content
</Syscheck>
</Ossec_config>
First, a simple configuration option is provided.
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>79200</frequency>
<!-- Directories to check (perform all possible verifications) -->
<alert_new_files>yes</alert_new_files>
<directories check_all="yes" realtime="yes" report_changes="yes">/103</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<!-- Windows files to ignore -->
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
</syscheck>
Introduction
<Frequency> the interval at which a scan is performed.
<Alert_new_files> whether to report that the new file is no by default. In addition, even if yes is set, it is not displayed because the default RULE alarm level created by the OSSEC file is 0, therefore, if you want to display the new file alarm, you also need to modify the RULE, or create a new RULE to overwrite the original RULE. See Appendix 1.
<directories check_all="yes" realtime="yes" report_changes="yes">
The monitored directory ossec monitors directories and files, but if realtime is used for monitoring, it must be a directory.
Check_all: checks all options including MD5, SH1, host, and so on.
Report_changes: report file changes.
<Ignore>: ignore files.
There is also an auto_ignore: usage method <auto_ignore> yes | or </auto_ignore> to prevent frequent file changes and generate alarms, if yes, no alarms will be generated three times by default, if the value is no, an alarm is triggered when the value changes. Currently, it seems that it can only take effect globally and cannot be applied to a single file or directory.
After the configuration is complete, restart OSSEC. # Service ossec restart
Appendix 1 file creation alert:
Create a rule. xml (included in ossec. conf) under the rules directory of the ossec installation directory (/var/ossec/rules) or directly edit local_rules.xml to add
<rule id="554" level="10" overwrite="yes">
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to the system.</description>
<group>syscheck,</group>
</rule>
2 references: http://www.ossec.net/doc/manual/syscheck/index.html
Source: http://www.usefulshare.com/lion/ossec3.html