Configuring OSSEC rules

Configuring an OSSEC rule consists of indicating which log files and/or Windows events must be monitored and which decoder file and OSSEC rule to apply to them.

  1. In an audit rule set, click on External events > OSSEC rules.
  2. Click on Add a rule (OSSEC).
  3. If you want to monitor a log file from a third-party application, click on + Monitored file and provide the following information:



     

     

  4. If you want to monitor a log or certain Windows events, click on + Monitored event and provide the following information:

     

     

  5. Click on + OSSEC decoder and choose your etc/decoder.xml file. With an OSSEC decoder file, you can indicate which types of logs need to be analyzed and which values to extract. For more information, refer to OSSEC documentation
    If you are importing several decoder files, ensure that they are in the right sequence, using the arrows on the left.
  6. Click on + OSSEC rule sets and choose your etc-rules/*.xml files. Ensure that they are in the right sequence. The rules_config.xml file is mandatory and must be the first. It contains OSSEC rules 1 to 7 which must be the first rules declared.
    You can also choose an OSSEC .conf file, in which case you must also specify the folder containing the rule files. Rules will be automatically imported in the same order.
  7. Click on Check the rule to check the consistency of your OSSEC analysis configuration. The following aspects in particular will be checked:
    • Validation of regular expressions found in the decoder files and rule files,
    • Presence of decoders,
    • Presence of rules 1 to 7,
    • Validity of decoder files and rule files,
    • Usage of OSSEC options that are not supported and therefore ignored.

    The result of the verification shows errors, warnings and information messages:

    • If errors are found, they will prevent the OSSEC configuration from being validated,
    • Warnings will not prevent the configuration from being applied but may impact the evaluation of rules.
    • Information messages indicate potential issues in the configuration and how they were resolved.

By default, the OSSEC analysis engine in SES Evolution retrieves Windows events generated when it is not enabled, e.g., when the machine is starting up. However, it does not retrieve log files.