Access log moves to sensor / data source then I mapping to event id with considering the rules in ossim.
Data sources can be found in “ossim ->configuration –> threat_intelligence –> data_source” and search for source as below. Pick “AlienVault HIDS-accesslog” and it reads the access log.
Browser the data source from the UI.
Events are map to OSSEC event in here.
# /var/ossec/rules/web_rules.xml
Event range 31100–31199 is web access log rules
No comments:
Post a Comment