Viewing logs generated by OSSEC
The external event logs that the SES Evolution analysis engine generates can be read like other SES Evolution logs in the administration console and on the agent. They are visible only to host administrators on the agent. For more information, refer to Viewing and managing agent logs in the administration console and Viewing logs in the agents’ interface.
The logs contain all the fields collected during OSSEC decoding.
The severity of the log depends on the level of the OSSEC rule that specified the log:
| Log level in the OSSEC rule | SES Evolution log severity |
|---|---|
| 0 | No log |
| 1 | Diagnosis |
| 2 | Information |
| 3, 4, 5 | Notice |
| 6, 7, 8 and 9 | Warning |
| 10 | Error |
| 11, 12 | Critical |
| 13, 14 | Alert |
| 15 | Emergency |
EXAMPLE
The image below shows Filezilla logs extracted by the analysis engine and reported in the agent's interface. It detects password-based authentication attempts on a FileZilla server from the same IP address, and raises alarms when there are multiple failures followed by a successful authentication.