--- etc/ossec-server.conf 2007-06-14 19:23:06.000000000 -0400 +++ etc/ossec-server.conf.new 2007-06-14 19:23:46.000000000 -0400 @@ -3,29 +3,48 @@ <ossec_config> <global> <email_notification>yes</email_notification> - <email_to>daniel.cid@xxx.com</email_to> - <smtp_server>smtp.xxx.com.</smtp_server> - <email_from>ossecm@ossec.xxx.com.</email_from> + <email_to>root@localhost</email_to> + <smtp_server>localhost</smtp_server> + <email_from>ossecm@localhost</email_from> </global> <rules> <include>rules_config.xml</include> + <include>pam_rules.xml</include> <include>sshd_rules.xml</include> + <include>telnetd_rules.xml</include> <include>syslog_rules.xml</include> + <include>arpwatch_rules.xml</include> + <include>symantec-av_rules.xml</include> <include>pix_rules.xml</include> <include>named_rules.xml</include> + <include>smbd_rules.xml</include> + <include>vsftpd_rules.xml</include> <include>pure-ftpd_rules.xml</include> <include>proftpd_rules.xml</include> + <include>ms_ftpd_rules.xml</include> + <include>hordeimp_rules.xml</include> + <include>vpopmail_rules.xml</include> <include>web_rules.xml</include> <include>apache_rules.xml</include> <include>ids_rules.xml</include> <include>squid_rules.xml</include> <include>firewall_rules.xml</include> + <include>netscreenfw_rules.xml</include> <include>postfix_rules.xml</include> <include>sendmail_rules.xml</include> + <include>imapd_rules.xml</include> + <include>mailscanner_rules.xml</include> + <include>ms-exchange_rules.xml</include> + <include>racoon_rules.xml</include> + <include>vpn_concentrator_rules.xml</include> <include>spamd_rules.xml</include> <include>msauth_rules.xml</include> + <!-- <include>policy_rules.xml</include> --> <include>attack_rules.xml</include> + <include>local_rules.xml</include> + <include>ossec_rules.xml</include> + <include>asl_rules.xml</include> </rules> <syscheck> @@ -38,11 +57,15 @@ <!-- Files/directories to ignore --> <ignore>/etc/mtab</ignore> + <ignore>/etc/mnttab</ignore> <ignore>/etc/hosts.deny</ignore> <ignore>/etc/mail/statistics</ignore> <ignore>/etc/random-seed</ignore> <ignore>/etc/adjtime</ignore> <ignore>/etc/httpd/logs</ignore> + <ignore>/etc/utmpx</ignore> + <ignore>/etc/wtmpx</ignore> + <ignore>/etc/cups/certs</ignore> </syscheck> <rootcheck> @@ -52,10 +75,6 @@ <global> <white_list>127.0.0.1</white_list> - <white_list>192.168.2.1</white_list> - <white_list>192.168.2.190</white_list> - <white_list>192.168.2.32</white_list> - <white_list>192.168.2.10</white_list> </global> <remote> @@ -122,31 +141,32 @@ <localfile> <log_format>syslog</log_format> - <location>/var/log/authlog</location> + <location>/var/log/secure</location> </localfile> <localfile> <log_format>syslog</log_format> - <location>/var/log/secure</location> + <location>/var/log/maillog</location> </localfile> <localfile> - <log_format>syslog</log_format> - <location>/var/log/xferlog</location> + <log_format>apache</log_format> + <location>/var/log/httpd/error_log</location> </localfile> <localfile> - <log_format>syslog</log_format> - <location>/var/log/maillog</location> + <log_format>apache</log_format> + <location>/var/log/httpd/access_log</location> </localfile> <localfile> <log_format>apache</log_format> - <location>/var/www/logs/access_log</location> + <location>/etc/httpd/logs/access_log</location> </localfile> <localfile> <log_format>apache</log_format> - <location>/var/www/logs/error_log</location> + <location>/etc/httpd/logs/error_log</location> </localfile> + </ossec_config>