Hi, I would also like to feed the alerts.log file into another application, and I would like to have a description of the meaning of each element in the log. Although I can most times guess the meaning it would be nice to have a more precise description.
/Tomas Dan wrote: > Hi List > > I try to parse the ossec alerts.log logifle with an external script. > Now i saw, that the alerts aren't all the same way. I use a server- > agent architecture. > When i look at an alert of the server it looks like: > ** Alert 1190348702.0: mail - syslog,attacks,invalid_login, > 2007 Sep 21 06:25:02 mgmt->/var/log/auth.log > Rule: 40101 (level 12) -> 'System user sucessfully logged to the > system.' > Src IP: (none) > User: root > Sep 21 06:25:01 mgmt su[20888]: + ??? root:nobody > > and here the one of the agent: > ** Alert 1190363665.1572: mail - syslog,sudo > 2007 Sep 21 10:34:25 (machine.domain.com) 192.168.169.251->/var/log/ > messages > Rule: 5403 (level 4) -> 'First time user executed sudo.' > Src IP: (none) > User: test > Sep 21 08:29:58 machine sudo: test : TTY=tty1 ; PWD=/var/home/test ; > USER=root ; COMMAND=/bin/su > > So if i want to parse which system the alert generated, it is very > hard to use a pattern. The agent name is 'machine.domain.com' and the > server 'mgmt'! > I have to use the complete hostname (including domain) for the agent > name. And during the server installation ossec also found the name of > the server 'mgmt.domain.com'! But why it only writes mgmt in the log > file? And why does the ip address of the agent also appears? > > Is there any way to change that or does anyony knows how i can parse > the alerts.log and split it into different files which only contains > the alerts from the same host? > > Thanks for your help. > > Regards, > Dan >
