最近試了一下 wazuh
安裝很方便 官方文件如下
但安裝好後如果要更改admin的密碼 依官方文件試了很多次都無法成功
還會導致wazuh 有問題打不開
安裝好後主要設定檔是
/var/ossec/etc/ossec.conf
目前只改了 email通知跟 啟動syslog server
<email_notification>yes</email_notification>
<smtp_server>10.0.0.1</smtp_server>
<email_from>wazuh@abc.com</email_from>
<email_to>abc@abc.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
<update_check>yes</update_check>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>10</email_alert_level> 這裡修改那個level 以上要發通知
</alerts>
啟動 syslog server
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>10.0.0.0/8</allowed-ips>
<local_ip>10.1.1.1</local_ip>
</remote>
client 端要自己把要monior的檔案加上去 才會送到 server進行解析
<localfile>
<location>/var/log/httpd/access_log</location>
<log_format>apache</log_format>
</localfile>
<localfile>
<location>/var/log/httpd/error_log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
沒有留言:
張貼留言