Hi List I try to parse the ossec alerts.log logifle with an external script. Now i saw, that the alerts aren't all the same way. I use a server- agent architecture. When i look at an alert of the server it looks like: ** Alert 1190348702.0: mail - syslog,attacks,invalid_login, 2007 Sep 21 06:25:02 mgmt->/var/log/auth.log Rule: 40101 (level 12) -> 'System user sucessfully logged to the system.' Src IP: (none) User: root Sep 21 06:25:01 mgmt su[20888]: + ??? root:nobody
and here the one of the agent: ** Alert 1190363665.1572: mail - syslog,sudo 2007 Sep 21 10:34:25 (machine.domain.com) 192.168.169.251->/var/log/ messages Rule: 5403 (level 4) -> 'First time user executed sudo.' Src IP: (none) User: test Sep 21 08:29:58 machine sudo: test : TTY=tty1 ; PWD=/var/home/test ; USER=root ; COMMAND=/bin/su So if i want to parse which system the alert generated, it is very hard to use a pattern. The agent name is 'machine.domain.com' and the server 'mgmt'! I have to use the complete hostname (including domain) for the agent name. And during the server installation ossec also found the name of the server 'mgmt.domain.com'! But why it only writes mgmt in the log file? And why does the ip address of the agent also appears? Is there any way to change that or does anyony knows how i can parse the alerts.log and split it into different files which only contains the alerts from the same host? Thanks for your help. Regards, Dan
