From OSSEC Wiki
As I'm not only new to ossec, but new to Wiki, this may take a while to get organized, but I will be placing all of the things I have done to my SuSE 10.1 installation to play nice with ossec.
Contents |
Firewall logging.
First, make sure ossec is looking at your firewall log. Unless you changed to the old syslog during installation, you are running syslog-ng. (Much nicer ...) This will put all of your firewall logs in /var/log/firewall. So make sure ossec is looking at it. In you ossec install directory, (I installed in /opt vice /var) under etc edit the ossec.conf and look for the "Files to monitor (localfiles)" section. If you don't see an entry for "/var/log/firewall" then add the following.
<localfile>
<log_format>syslog</log_format>
<location>/var/log/firewall</location>
</localfile>
This will tell ossec to monitor your firewall log and assume it is in the syslog format.
Log rate limiting
Next, The default SuSEFirewall2 installation will limit the logging rate. If you want ossec to be able to see everything that iptables drops, you need to log it all. So, in /etc/sysconfig/SuSEFirewall2, change FW_LOG_LIMIT to no.
FW_LOG_LIMIT="no"
Init script
I wrote an ossec init script for SuSE10. (transaltion, I took the /etc/init.d/skeleton and ossec-control and munged them together into a SuSE style rc script). ossec-init
More to come ...
--Scottk 17:19, 23 August 2006 (BRST)