Where are the docs or support forum for ossec+?

Support/Development for OSSEC
raskolnikov88
Forum User
Forum User
Posts: 6
Joined: Sat Dec 19, 2020 1:16 pm
Location: US

Where are the docs or support forum for ossec+?

Unread post by raskolnikov88 »

After a couple days of trial and error I've learned a few things about ossec+, but there seems to be a lack of documentation. All of the documentation turns out to be for ossec, and I can find nothing about configuring the elk stack.

Is there an ossec+ support forum I missed somehow?
User avatar
cponton
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 13
Joined: Fri Oct 09, 2020 9:41 am

Re: Where are the docs or support forum for ossec+?

Unread post by cponton »

Forgive the delayed reply!

You can find most documentation at https://www.ossec.net/docs/

If you have any questions that you cannot find a solution to on the docs site, please drop them here and we will do our best to answer them for you.
Thanks!
PickleRick
New Forum User
New Forum User
Posts: 1
Joined: Thu Mar 25, 2021 5:27 am

Re: Where are the docs or support forum for ossec+?

Unread post by PickleRick »

Unless I am missing something the linked docs do not cover OSSEC+ at all?

https://www.ossec.net/ pushes OSSEC+ as a step up from the base OSSEC install, and lists a bunch of extras, but where are they? How do I use them?

I registered for OSSEC+ and followed through the install guide. The process was extremely poor. It was so bad I started keeping notes to pass on, and I submitted them through the email feedback request I got a day later.

Was I supposed to install OSSEC first, and then install OSSEC+ (or oum, I guess)? The OSSEC+/oum install process did not walk me through the install steps like a normal OSSEC install does, where you are asked if you want email alerts, SMTP server, etc. It did install OSSEC, but it pegged my CPU at 100% and core-dumped on first start. Permissions on most files under /var/ossec are -r-xr-x---, meaning not even root can edit config files without first chmod-ing.

I am now struggling to ignore some log files which change daily, but I can't work out if I have PCRE2 support built in or not. I didn't get the chance to manually add it as described in the docs, though /etc/ossec-init.conf shows I have OSSEC v 3.6.0, so that means PCRE2 support ... is automatically supported? Maybe? The syscheck docs suggest the only "type" I can use for ignore is sregex, but the linked doc describing regex support describes 3 types (pcre2, regex, sregex). No idea how to work out which my install supports.

If I'd done a normal install of OSSEC instead of OSSEC+, I would have been able to manually try to enable PCRE2 support. Though even if it is/was supported, how do I use one, if only type=sregex is allowed on ignore?

As it is, my OSSEC+ install seems like a crippled OSSEC install. I have no idea how to use or enable or configure any of the OSSEC+ features, and the docs don't seem to cover any of them either. I'm on the verge of wiping the lot and going back to a plain OSSEC install.

What am I missing?
Post Reply