search

ossec / ossec-hids

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
http://www.ossec.net
Other
4.33k stars 1.02k forks source link

Change OSSEC_GROUP #2085

Closed tn20000 closed 11 months ago

tn20000 commented 1 year ago

Is there any way to change OSSEC_GROUP (user group OSSEC is run under) if I install through apt?
I have this use case where I'm trying to scrape OSSEC logs along with some other logs using Loki promtail. Usually in Ubuntu, logs belong to the user group adm, so I can scrape most logs if I run promtail as a user under the adm user group. However, OSSEC logs belong to the user group ossec, and I haven't found anyway to change this group ownership without installing it from source. If I just change the folder group ownership to adm, OSSEC will fail to start since it's not able to validate the config file (no read permission). Is there a good way to resolve this issue?

atomicturtle commented 11 months ago

Not in the binaries, could you add the loki promtail user to the ossec group so you can read alerts.log/json? Thats how Ive seen it done with other tools

tn20000 commented 11 months ago

I ended up using acl to make the OSSEC logs folder belong to the adm group in addition to the ossec group, also made the default acl belong to adm group so that any newly created files/folders belong to the adm group as well. Closing this issue