Unless I am missing something the linked docs do not cover OSSEC+ at all?
https://www.ossec.net/ pushes OSSEC+ as a step up from the base OSSEC install, and lists a bunch of extras, but where are they? How do I use them?
I registered for OSSEC+ and followed through the install guide. The process was extremely poor. It was so bad I started keeping notes to pass on, and I submitted them through the email feedback request I got a day later.
Was I supposed to install OSSEC first, and then install OSSEC+ (or oum, I guess)? The OSSEC+/oum install process did not walk me through the install steps like a normal OSSEC install does, where you are asked if you want email alerts, SMTP server, etc. It did install OSSEC, but it pegged my CPU at 100% and core-dumped on first start. Permissions on most files under /var/ossec are -r-xr-x---, meaning not even root can edit config files without first chmod-ing.
I am now struggling to ignore some log files which change daily, but I can't work out if I have PCRE2 support built in or not. I didn't get the chance to manually add it
as described in the docs, though /etc/ossec-init.conf shows I have OSSEC v 3.6.0, so that means PCRE2 support ... is automatically supported? Maybe?
The syscheck docs suggest the only "type" I can use for ignore is sregex, but
the linked doc describing regex support describes 3 types (pcre2, regex, sregex). No idea how to work out which my install supports.
If I'd done a normal install of OSSEC instead of OSSEC+, I would have been able to manually try to enable PCRE2 support. Though even if it is/was supported, how do I use one, if only type=sregex is allowed on ignore?
As it is, my OSSEC+ install seems like a crippled OSSEC install. I have no idea how to use or enable or configure any of the OSSEC+ features, and the docs don't seem to cover any of them either. I'm on the verge of wiping the lot and going back to a plain OSSEC install.
What am I missing?