Log Monitoring¶

What is log monitoring¶

OSSEC can monitor log messages in real-time, comparing them to a set of pre-defined rules. These rules can trigger alerts to notify analysts or administrators of a possible issue to be investigated.

These log messages can currently come from log files on the system, commands run by OSSEC on the system and via syslog from networked devices.

log files¶

OSSEC can monitor text based log files from syslog on all systems, and EventLog or EventChannel log formats on Windows based systems.

The localfile option can be used to monitor a log file. See the syntax for localfile for more information.

commands¶

OSSEC is able to run commands on a system and monitor the output. The command will be run periodically, with a admin configurable frequency. The command output can be monitored for content directly, or for changes between runs.

See the syntax for command for more information..

syslog¶

OSSEC is able to receive syslog messages from systems that cannot have an agent installed on them. This insludes many network devices like routers, firewalls, and switches.

See the remote documentation for more information.