You could also take a look into "OSSEC Reportd" tool, you could aggregate stats for rules ids, groups, location etc..:
<http://ossec-docs.readthedocs.io/en/latest/programs/ossec-reportd.html> - http://ossec-docs.readthedocs.io/en/latest/programs/ossec-reportd.html For CSV output you could parse Reportd output. Regards, Pedro. On Fri, May 12, 2017 at 10:48 AM, Jesus Linares <je...@wazuh.com> wrote: > Hi, > > you can create a script to read that information from > */var/ossec/logs/alerts*. Alerts are classified in years/month/days: > > /var/ossec/logs/alerts# tree > . > ├── 2017 > │ └── May > │ ├── ossec-alerts-11.json.gz > │ ├── ossec-alerts-11.json.sum > │ ├── ossec-alerts-11.log.gz > │ ├── ossec-alerts-11.log.sum > │ ├── ossec-alerts-12.json > │ └── ossec-alerts-12.log > ├── alerts.json > └── alerts.log > > Also, if you use Elasticsearch, it should be easy create a query to get > the information. > > Regards. > > > On Tuesday, May 9, 2017 at 5:00:47 PM UTC+2, joe lee wrote: >> >> I am contacting you because I utilize your product and I am trying to >> find the best way to get some detail reporting and was wondering if someone >> can assist. I am trying to do two things and if you can provide the >> commands or instructions on how to, it would be appreciated. >> >> >> 1. I trying to do a dump of logs for the last seven days into a CSV/Excel >> file; is there any way yo do this because I have not found documentation >> from the OSSEC site on how to? >> >> 2. I am trying to obtain a report that gives me the TOP 10 files or file >> types that have been changed according to the logs. Maybe if we can get the >> excel spreadsheet, then we can possibly set filters to obtain this >> information. >> >> >> Can someone please confirm if this information can be gathered and how? >> >> >> Thank you >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
