X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=debian%2Fossec-hids%2Fusr%2Fshare%2Fdoc%2Fossec-hids%2Flogs.txt;fp=debian%2Fossec-hids%2Fusr%2Fshare%2Fdoc%2Fossec-hids%2Flogs.txt;h=269068c011973448e1b3893fb9734450cc8a115d;hp=0000000000000000000000000000000000000000;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b

diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/logs.txt b/debian/ossec-hids/usr/share/doc/ossec-hids/logs.txt
new file mode 100644
index 0000000..269068c
--- /dev/null
+++ b/debian/ossec-hids/usr/share/doc/ossec-hids/logs.txt
@@ -0,0 +1,53 @@
+OSSEC v0.9
+Copyright (C) 2009 Trend Micro Inc.
+
+
+OSSEC Logging
+
+== Introduction ==
+
+Ossec supports three types of logs. Alert logging, firewall
+logging and event (archiving) logging.
+
+Every message received is treated as an event. 
+Any log message, integrity report, system information will be treated 
+as such. Event logging is very expensive for the system because
+it will archive every event. However, they can be usefull to get
+the big picture if some attack happens.
+
+Alert logging is the most useful one. An alert is generated when
+an event is matched against one of the detection rules. In addition
+to the logging, OSSEC can also generate e-mail notifications or
+execute external commands for them. 
+
+
+== Event logging ==
+
+Inside the OSSEC default log directory (by default /var/ossec/logs) 
+there is an entry for "archives" (/var/ossec/logs/archives). Inside this
+directory, all events will be stored by date.
+For example, all events received on May 22 of 2004, will be stored on:
+
+/var/ossec/logs/archives/2004/May/events-22.log
+
+After each day, a hash will be created for this specific day at
+
+/var/ossec/logs/archives/2004/May/events-22.log.md5
+
+This hash will be the hash of the file from the day 22 plus the hash
+from the day 21.
+
+The hash from the day 1, will be the hash from the day 31 (or 30 or 28)
+from the previous month.
+
+This will ensure that no log will be modified. Also, for this to happen,
+all the logs (since the first day) will need to be modified.
+
+
+== Alert logging ==
+
+There will be a "alerts" directory on the OSSEC default logging directory.
+It will be organized on the same way the event logging is. Please read
+above to understand it.
+
+