Re: [ossec-list] How to divide ossec alerts from any sources into different files?

Yes, afaik, at least Logstash and Rsyslog can be used to parse the alerts file and split alerts on per agent basis. On Thu, May 12, 2016 at 8:08 AM, Pedro Sanchez wrote: > Hi, > > You can process alerts.json with Logstash, use a filter in the output > section and write to

[ossec-list] Re: Duplicated counter

Thanks for interest 12 Mayıs 2016 Perşembe 10:37:15 UTC+3 tarihinde Pedro S yazdı: > > Hi, > > If multiple agents are using the same key, you need to set them up with > their own unique key. > If you re-installed an agent and didn't backup the rids files, you should > create a new key for the

[ossec-list] Re: Have Snort signature trigger Ossec active response...?

I am thinking of monitoring the sguild.logs for snort alerts such as the below that decoders would have to be made for ( which I am weak on ): 2016-05-12 16:08:58 pid(2410) Sending sock222f690: InsertEvent {0 0 unknown alamo-eth1-1 {2016-05-12 16:08:58} 3 106 {Port Scan} 10.40.2.75

Re: [ossec-list] Re: Prerrequisites Instalation OSSEC

Also works on rhel an oel 7 > On May 12, 2016, at 4:38 AM, dan (ddp) wrote: > >> On Thu, May 12, 2016 at 6:37 AM, david franco wrote: >> Hi >> I was also searching this topic, specifically about the Operating system >> requirements. >> I have read the

Re: [ossec-list] How to divide ossec alerts from any sources into different files?

Hi, You can process alerts.json with Logstash, use a filter in the output section and write to different files that you prefer (use codec to specify output format): output { > > if [AgentName] == "agent1" { > >

Re: [ossec-list] How to divide ossec alerts from any sources into different files?

On Thu, May 12, 2016 at 10:29 AM, Yurii Shatylo wrote: > Honestly I don't know how to do it. Rsyslog takes event based on different > parameters and writes output to the file which you defined. As for ossec > it's another story with own engine: I did't find any original

Re: [ossec-list] How to divide ossec alerts from any sources into different files?

Honestly I don't know how to do it. Rsyslog takes event based on different parameters and writes output to the file which you defined. As for ossec it's another story with own engine: I did't find any original output form agent on the server. I can find only alert log file. That's a problem for

Re: [ossec-list] How to divide ossec alerts from any sources into different files?

Digging into rsyslog a bit, I think it's doable. But I haven't figured out the specifics. I think you use a template and regex.submatch to grab the agent name from "Location: ix->/var/log/messages;" (ix being my agent). Then based on that submatch, use a dynafile to log the alert to that agent's

[ossec-list] Security Matrices With OSSEC

Hello Group, I'm trying to come up with some measurable security matrices within OSSEC: i.e. items which can be measured to show improvement or decreases in security posture. I'm not sure this is possible, but I was wondering if anyone else has ever tried to do this with OSSEC. Thanks! --

Re: [ossec-list] How to divide ossec alerts from any sources into different files?

On Thu, May 12, 2016 at 8:11 AM, Yurii Shatylo wrote: > I need to put alerts to own files from every event sources. Do you know > where is coming original event before handled by ossec? I put to rsyslog > configuration: if from IP than to file but it didn't help me. >

Re: [ossec-list] How to divide ossec alerts from any sources into different files?

I need to put alerts to own files from every event sources. Do you know where is coming original event before handled by ossec? I put to rsyslog configuration: if from IP than to file but it didn't help me. 2016-05-12 15:05 GMT+03:00 dan (ddp) : > On Thu, May 12, 2016 at 7:55

Re: [ossec-list] How to divide ossec alerts from any sources into different files?

On Thu, May 12, 2016 at 7:55 AM, Yurii Shatylo wrote: > Thanks for your response but it sound difficult for me. > Maybe it is possible to do before the event handles by ossec engine? for > example by rsyslog? > Maybe. Use the client syslog functionality to send the alerts

Re: [ossec-list] How to divide ossec alerts from any sources into different files?

Thanks for your response but it sound difficult for me. Maybe it is possible to do before the event handles by ossec engine? for example by rsyslog? 2016-05-12 14:39 GMT+03:00 dan (ddp) : > On Thu, May 12, 2016 at 7:16 AM, Yurii Shatylo > wrote: > >

Re: [ossec-list] How to divide ossec alerts from any sources into different files?

On Thu, May 12, 2016 at 7:16 AM, Yurii Shatylo wrote: > Dears, > > Can anyone give a hand? Is it possible to divide alerts output writes into > different files from any sources? For example 3 agents which installed on > WIN servers produces alert output to the one file >

Re: [ossec-list] Re: Prerrequisites Instalation OSSEC

On Thu, May 12, 2016 at 6:37 AM, david franco wrote: > Hi > I was also searching this topic, specifically about the Operating system > requirements. > I have read the various links shown below, plus release notes etc and whilst > they are all informative I still see nothing

[ossec-list] How to divide ossec alerts from any sources into different files?

Dears, Can anyone give a hand? Is it possible to divide alerts output writes into different files from any sources? For example 3 agents which installed on WIN servers produces alert output to the one file */var/ossec/logs/alerts/alerts.log *but I need that every event sources produce alerts

[ossec-list] Re: Prerrequisites Instalation OSSEC

Hi I was also searching this topic, specifically about the Operating system requirements. I have read the various links shown below, plus release notes etc and whilst they are all informative I still see nothing which tells me Can I use the latest version of RHEL or Oracle EL, should I stay on

[ossec-list] Re: Duplicated counter

Hi, If multiple agents are using the same key, you need to set them up with their own unique key. If you re-installed an agent and didn't backup the rids files, you should create a new key for the agent and use that. If you prefer to avoid any counters error, try to deactivate counters, open