1. Types of Logs in Argus #
Argus primarily generates the following types of logs:
- Alert logs: These capture alerts triggered by rule violations.
- Event logs: General logs generated by Argus components (e.g., manager and agents).
- Error logs: Logs that capture errors or issues encountered by Argus components.
These logs are stored in the following default locations:
- /var/ossec/logs/ossec.log: General logs for the Argus manager and agents.
- /var/ossec/logs/alerts/alerts.log: Logs related to alerts triggered by Argus.
- /var/ossec/logs/archives/archives.log: Archived logs.
2. Log Configuration in ossec.conf #
Log management in Argus is configured in the ossec.conf file. Key configuration options include log verbosity, log rotation settings, and log storage options. Below are some of the key log configuration options:
Example Log Configuration:
<logging>
<log>yes</log>
<log_format>plain</log_format>
<log_level>2</log_level>
</logging>
Explanation of key parameters:
- <log>: Enable or disable logging. Set to yes to enable Argus log generation.
- <log_format>: Specifies the log format. Common formats include plain (default) and json (useful if you want logs in JSON format).
- <log_level>: Defines the verbosity of the logs. Log levels range from:
- 0: No logging.
- 1: Error-level logging.
- 2: Warning and error logging.
- 3: Information, warning, and error logging (the most detailed level).
3. Log Rotation Configuration #
Log rotation ensures that log files don’t grow indefinitely, which could consume disk space. You can configure log rotation and retention settings to automatically manage log file size and duration.
Example log rotation settings in ossec.conf:
<logging>
<log_rotation>
<enabled>yes</enabled>
<size>50M</size>
<interval>7d</interval>
</log_rotation>
</logging>
Explanation of key parameters:
- <enabled>: Enable or disable log rotation. Set to yes to rotate logs automatically.
- <size>: Set the maximum size of a log file before it is rotated (e.g., 50M for 50 MB).
- <interval>: Set the maximum time interval for rotating logs, regardless of size (e.g., 7d for 7 days).
4. Remote Logging Configuration #
Argus allows logs to be forwarded to a remote syslog server, which is useful in centralized logging and monitoring setups.
Example configuration for remote logging:
<logging>
<remote>
<enabled>yes</enabled>
<server>192.168.1.200</server>
<port>514</port>
<protocol>udp</protocol>
</remote>
</logging>
Explanation of key parameters:
- <enabled>: Enable or disable remote logging. Set to yes to forward logs to a remote syslog server.
- <server>: The IP address or hostname of the remote syslog server.
- <port>: The port used for syslog communication (default is 514 for syslog over UDP).
- <protocol>: The protocol to use for log forwarding (udp or tcp).
5. Alert Logging Configuration #
Alert logs capture security-related alerts triggered by Argus’s rules. You can configure how these alerts are stored and formatted in the alerts.json or alerts.log files.
Example alert logging configuration:
<alerts>
<log_alerts>yes</log_alerts>
<json_output>yes</json_output>
</alerts>
Explanation of key parameters:
- <log_alerts>: Enable or disable logging of security alerts. Set to yes to log alerts.
- <json_output>: Set to yes if you want the alerts in JSON format, which is easier to parse for SIEM tools.
6. Monitoring Logs via the Argus Dashboard #
In addition to configuring logs via ossec.conf, you can monitor and view logs directly from the Argus Dashboard under the Monitoring section:
- View system logs.
- Review alerts generated from rule violations.
- Analyze log data trends for better insights into system performance and security events.
