Difference between revisions of "CentOS 7.x Configure OSSEC server"

From Notes_Wiki
m
m
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
<yambe:breadcrumb>CentOS_7.x_OSSEC|CentOS 7.x OSSEC</yambe:breadcrumb>
[[Main Page|Home]] > [[CentOS]] > [[CentOS 7.x]] > [[CentOS 7.x Security Tools|Security Tools]] > [[CentOS 7.x OSSEC]] > [[CentOS 7.x Configure OSSEC server]]
=CentOS 7.x Configure OSSEC server=


==Configuring alerts to go to specific email ID based on rule ID==
==Configuring alerts to go to specific email ID based on rule ID==
Line 61: Line 60:




<yambe:breadcrumb>CentOS_7.x_OSSEC|CentOS 7.x OSSEC</yambe:breadcrumb>
Steps contributed by Pavan Ponamala
 
 
 
[[Main Page|Home]] > [[CentOS]] > [[CentOS 7.x]] > [[CentOS 7.x Security Tools|Security Tools]] > [[CentOS 7.x OSSEC]] > [[CentOS 7.x Configure OSSEC server]]

Latest revision as of 09:37, 25 August 2022

Home > CentOS > CentOS 7.x > Security Tools > CentOS 7.x OSSEC > CentOS 7.x Configure OSSEC server

Configuring alerts to go to specific email ID based on rule ID

If you need email alerts of specific rule IDs to go to different email ID then use following configuratoin in global section of '/var/ossec/etc/ossec.conf'

 <email_alerts>
  <email_to><email-ID></email_to>
  <rule_id><rule-id-list></rule_id> 
  <level>7</level>
  <do_not_delay />
 </email_alerts>

For example:

 <email_alerts>
  <email_to>doesnotexists@gmail.com<email-ID></email_to>
  <rule_id>550,553</rule_id> 
  <level>7</level>
  <do_not_delay />
 </email_alerts>
 <email_alerts>
  <email_to>thisisalsowrong@gmail.com</email_to>
  <rule_id>554,557</rule_id> 
  <level>7</level>
  <do_not_delay />
 </email_alerts>


Configure central logging for windows

To forward all windows event logs to OSSEC for central logging, add logall directive to global section of '/var/ossec/etc/ossec.conf'. For example

            <global>
                    ...some other global settings...
                    <logall>yes</logall>
                    ...some other global settings...
            </global>

This would cause logs to get stored at '/var/ossec/logs/archives/archives.log' location in OSSEC server.


Generate alert for new files for monitored directories

If OSSEC agent on client is configured to monitor a directory in realtime as explained at CentOS 7.x Configure Windows agent then to generate alerts for new files in those directories, OSSEC server can be configured as follows:

  1. For email/alert, please enter below line under syscheck section in '/var/ossec/etc/ossec.conf'.
    <syscheck>
    <alert_new_files>yes</alert_new_files>
    </syscheck>
    This will cause OSSEC to generate alert whenever a new file is detected with file integrity checker option. Corresponding email will also be sent.

Please note that modification of existing important file is treated as an alert (including email) by default. We do not need any special server side configuration for monitored file modification alerts.



Steps contributed by Pavan Ponamala


Home > CentOS > CentOS 7.x > Security Tools > CentOS 7.x OSSEC > CentOS 7.x Configure OSSEC server