OSSEC Log File Monitoring

Log Analysis is done inside OSSEC through two processes. The ‘logcollector’ and ‘analysisd’. I’ll bet you’re wondering the difference between them? As their names imply ‘logcollector’ collects the events and ‘analysisd’  analyzes them through a series of decoders and rules. 

Before getting into the gory details, lets review some quick facts.

• Logs are monitored in real time
• OSSEC manager analyzes log contents (not agent)
• Analyzed log storage space is user configurable (you can keep them indefinitely)
• False positive (you’re bound to have a few) can be eliminated through local custom rules
• Windows IIS logs are supported
• Windows Event Logs are supported

How do I configure specific log file monitoring? (For example Windows IIS Server Log)

Edit OSSEC’s configuration file (ossec.conf) and add or edit the following XML information;

<localfile>

<location>%WinDir%\System32\Logfiles\W3SVC3\ex%y%m%d.log</location>

<log_format>iis</log_format>

</localfile>

How about Windows Events?

<localfile>

<location>Security</location>

<log_format>eventlog</log_format>

</localfile>

Out of the box OSSEC supports the following log file formats;

Syslog, snort,squid,iis,eventlog,mysql,postgresql,nmapg,apache,command

Luckily it is possible to monitor custom log files by writing custom OSSEC decoder. Please see OSSEC documentation for details. 

OSSEC is very flexibly and given time and effort can easily monitor any log file.