+++ /dev/null
-OSSEC v0.9
-Copyright (C) 2009 Trend Micro Inc.
-
-
-OSSEC Logging
-
-== Introduction ==
-
-Ossec supports three types of logs. Alert logging, firewall
-logging and event (archiving) logging.
-
-Every message received is treated as an event.
-Any log message, integrity report, system information will be treated
-as such. Event logging is very expensive for the system because
-it will archive every event. However, they can be usefull to get
-the big picture if some attack happens.
-
-Alert logging is the most useful one. An alert is generated when
-an event is matched against one of the detection rules. In addition
-to the logging, OSSEC can also generate e-mail notifications or
-execute external commands for them.
-
-
-== Event logging ==
-
-Inside the OSSEC default log directory (by default /var/ossec/logs)
-there is an entry for "archives" (/var/ossec/logs/archives). Inside this
-directory, all events will be stored by date.
-For example, all events received on May 22 of 2004, will be stored on:
-
-/var/ossec/logs/archives/2004/May/events-22.log
-
-After each day, a hash will be created for this specific day at
-
-/var/ossec/logs/archives/2004/May/events-22.log.md5
-
-This hash will be the hash of the file from the day 22 plus the hash
-from the day 21.
-
-The hash from the day 1, will be the hash from the day 31 (or 30 or 28)
-from the previous month.
-
-This will ensure that no log will be modified. Also, for this to happen,
-all the logs (since the first day) will need to be modified.
-
-
-== Alert logging ==
-
-There will be a "alerts" directory on the OSSEC default logging directory.
-It will be organized on the same way the event logging is. Please read
-above to understand it.
-
-
projects / ossec-hids.git / blobdiff