I'm very new on ossim. i have installed ossim 3.1 onto a virtual machine (vmware)
I have 2 questions:
1) I have enabled SYSLOG from ossim-setup. Now I'm getting horde of syslog messages in ANALYSIS-> SIEM. How can i modify the logging rate? how can I manage syslog configuration? I looked for syslog conf files but there aren't any. I can find only rsyslog files. Moreover if I do
alienvault:~# ps aux | grep sys
root 3481 0.1 0.0 2492 1416 ? S 08:51 0:12 /var/ossec/bin/ossec syscheckd
root 5951 0.0 0.0 35512 1416 ? Sl 08:58 0:00 /usr/sbin/rsyslogd -c3 -x
root 18427 0.0 0.0 1716 636 pts/0 S+ 11:29 0:00 grep --color=auto sys
I get that only rsyslogd is running
2) I have enabled Dionaea from ossim-setup and i'm trying to send its log to ossim without any result. How can I do that? After that, am I suppose to do something else to let ossim correlate log from Dioanea with other logs?
Thank you
The log forwarding from rsyslog can be set up very easily. you need to edit /etc/rsyslog.conf file and add the following line:
*.* @@remote-host:514
It will setup your local rsyslog to forward all the syslog messages to "remote-host", 514 is the port number of rsyslogd server. you can add the above line on all the clients from where you want the logs to be sent. you can read more about it at The official Rsyslog Project Website