设备把日志信息以syslog的形式发给agent,日志存储在agent上面的/var/log/xxx.log下面,agent调用/etc/ossim/agent/plugins下面对应的xxx插件来/var/log/xxx.log下面取对应的日志,然后根据插件
里面写的正则表达式来提取日志的关键字段发给server,server再将日志分析之后在ossim上面呈
现出来
/etc/ossim/agent/plugins下面的插件,这些是系统自带的还可以自己来编写插件,核心是掌握正则表达式的写法,能够根据不同的日志来提取自己感兴趣的内容。
aladdin.cfg lucent-brick.cfg pureftpd.cfg
allot.cfg m0n0wall.cfg radiator.cfg
apache.cfg malwaredomainlist.cfg raslogd.cfg
arpalert.cfg mcafee-antispam.cfg realsecure.cfg
arpwatch.cfg mcafee.cfg rrd.cfg
arpwatch_eth0.cfg modsecurity.cfg rsa-secureid.cfg
avast.cfg moodle.cfg serviceguard.cfg
bind.cfg motion.cfg session-monitor.cfg
bro-ids.cfg mwcollect.cfg sidewinder.cfg
cisco-acs.cfg nagios.cfg siteprotector.cfg
cisco-ids.cfg nepenthes.cfg sitescope.cfg
cisco-ips.cfg nessus-detector.cfg snare.cfg
cisco-pix.cfg nessus-monitor.cfg snort_syslog.cfg
cisco-router.cfg netgear.cfg snortunified.cfg
cisco-vpn.cfg netscreen-firewall.cfg snortunified_eth0.cfg
clamav.cfg netscreen-manager.cfg sonicwall.cfg
clurgmgr.cfg netscreen-nsm.cfg sophos.cfg
courier.cfg nmap-monitor.cfg spamassassin.cfg
cyberguard.cfg nortel-switch.cfg squid.cfg
dhcp.cfg ntop-monitor.cfg squidGuard.cfg
dragon.cfg ntsyslog.cfg ssh.cfg
exchange.cfg ocs-monitor.cfg stonegate.cfg
f5.cfg openldap.cfg sudo.cfg
fidelis.cfg opennms-monitor.cfg symantec-ams.cfg
forensics-db-1.cfg optenet.cfg symantec-epm.cfg
fortigate.cfg oracle1.cfg syslog.cfg
fw1-alt.cfg oracle.cfg tarantella.cfg
fw1ngr60.cfg osiris.cfg tcptrack-monitor.cfg
gfi.cfg ossec.cfg tippingpoint.cfg
heartbeat.cfg ossim-agent.cfg topsec.cfg
honeyd.cfg ossim-monitor.cfg trendmicro.cfg
hp-eva.cfg p0f.cfg vmware-workstation.cfg
iis.cfg p0f_eth0.cfg vsftpd.cfg
intrushield.cfg pads.cfg vyatta.cfg
ipfw.cfg pads_eth0.cfg webmin.cfg
iphone.cfg paloalto.cfg whois-monitor.cfg
iptables.cfg pam_unix.cfg wmi-application-logger.cfg
ironport.cfg panda-as.cfg wmi-monitor.cfg
isa.cfg panda-se.cfg wmi-security-logger.cfg
juniper-vpn.cfg pf.cfg wmi-system-logger.cfg
kismet.cfg ping-monitor.cfg
linuxdhcp.cfg postfix.cfg
要让agent调用某个插件只需要在这个文件里面写上插件的路径就可以了
/etc/ossim/agent/config.cfg 一下展示部分插件的调用:
[plugins]
arpwatch_eth0=/etc/ossim/agent/plugins/arpwatch_eth0.cfg
nmap-monitor=/etc/ossim/agent/plugins/nmap-monitor.cfg
ntop-monitor=/etc/ossim/agent/plugins/ntop-monitor.cfg
oracle=/etc/ossim/agent/plugins/oracle.cfg
ossec=/etc/ossim/agent/plugins/ossec.cfg
ossim-monitor=/etc/ossim/agent/plugins/ossim-monitor.cfg
p0f_eth0=/etc/ossim/agent/plugins/p0f_eth0.cfg
pads_eth0=/etc/ossim/agent/plugins/pads_eth0.cfg
pam_unix=/etc/ossim/agent/plugins/pam_unix.cfg
ping-monitor=/etc/ossim/agent/plugins/ping-monitor.cfg
squid=/etc/ossim/agent/plugins/squid.cfg
ssh=/etc/ossim/agent/plugins/ssh.cfg
sudo=/etc/ossim/agent/plugins/sudo.cfg
whois-monitor=/etc/ossim/agent/plugins/whois-monitor.cfg
wmi-monitor=/etc/ossim/agent/plugins/wmi-monitor.cfg