Regding OSSEC

[vamsi_k]

FYI...

Installed OSSEC server version 2.6 in Cent OS 6.2 and agents are web servers

installed in chroot environment.

Moreover ossec server and apache (web servers are agents) are installed in separate machines.


In ossec.conf file, added below configuration in both server and agent.

<localfile>
<log_format>syslog</log_format>
<location>/chroot/site/usr/local/apache/logs/error_log</location>
</localfile>


Already in decoder.xml and in rules folder apache related configuration is set

by default.


Problem : Ossec is not working for apache logs, not even generating


mails related to Apache errors , rest of the ossec part is working as needed.

Please guide me what has to be done to solve the issue.

[Stefano Messicano]

My guess is that Apache is running outside of the chroot environment, so the OSSEC agents can't see the logs. Try running OSSEC in a virtual machine that can still access the system running the Apache server, or if in the chroot environment, treat the root system as a remote system, even if you use localhost as the system address.

[vamsi_k]

My guess is that Apache is running outside of the chroot environment,

Sure Apache is running in chroot environment.

so the OSSEC agents can't see the logs. Try running OSSEC in a virtual machine that can still access the system running the Apache server, or if in the chroot environment, treat the root system as a remote system, even if you use localhost as the system address.

Ossec and apache are installed in separate machines, in such a way that ossec can access apache as needed.

Note : Only apache is installed in chroot environment.

Moreover please let me know what has to cross checked to solve this part.

[ehansen]

Installed OSSEC server version 2.6 in Cent OS 6.2 and agents are web servers

installed in chroot environment.

So, is OSSEC in a chroot environment as well, or no? What you said originally contradicts your newer statement. However, this makes a big difference.

How is OSSEC set up, exactly? You should have an OSSEC server set up on one machine, and a sensor/agent set up on the Apache machine. If this is correct, then the sensor should not be chroot'ed, but should have access rights to Apache's logs.

Problem : Ossec is not working for apache logs, not even generating mails related to Apache errors , rest of the ossec part is working as needed.

Sounds like a permissions issue for Apache's logs myself. What's the output when you run this command:

ls -liha /chroot/site/usr/local/apache/logs/error_log

It could be that OSSEC just does not have access rights to either /chroot or some subdirectory of that. Espcially if OSSEC is working correctly everywhere else.