--- /dev/null
+OSSEC v0.9
+Copyright (C) 2009 Trend Micro Inc.
+
+
+OSSEC Logging
+
+== Introduction ==
+
+Ossec supports three types of logs. Alert logging, firewall
+logging and event (archiving) logging.
+
+Every message received is treated as an event.
+Any log message, integrity report, system information will be treated
+as such. Event logging is very expensive for the system because
+it will archive every event. However, they can be usefull to get
+the big picture if some attack happens.
+
+Alert logging is the most useful one. An alert is generated when
+an event is matched against one of the detection rules. In addition
+to the logging, OSSEC can also generate e-mail notifications or
+execute external commands for them.
+
+
+== Event logging ==
+
+Inside the OSSEC default log directory (by default /var/ossec/logs)
+there is an entry for "archives" (/var/ossec/logs/archives). Inside this
+directory, all events will be stored by date.
+For example, all events received on May 22 of 2004, will be stored on:
+
+/var/ossec/logs/archives/2004/May/events-22.log
+
+After each day, a hash will be created for this specific day at
+
+/var/ossec/logs/archives/2004/May/events-22.log.md5
+
+This hash will be the hash of the file from the day 22 plus the hash
+from the day 21.
+
+The hash from the day 1, will be the hash from the day 31 (or 30 or 28)
+from the previous month.
+
+This will ensure that no log will be modified. Also, for this to happen,
+all the logs (since the first day) will need to be modified.
+
+
+== Alert logging ==
+
+There will be a "alerts" directory on the OSSEC default logging directory.
+It will be organized on the same way the event logging is. Please read
+above to understand it.
+
+
projects / ossec-hids.git / blobdiff