Hi Wim, The reportd on v2.3 doesn't allow you to create reports per individual hosts or users, but on the latest snapshot I added the option to do so. You can try it out from:
http://www.ossec.net/files/snapshots/ossec-hids-091211.tar.gz The filters for the "-f" can be (starting from today's snapshot): -level -group -rule (for a single rule id) -location -srcip (not valid on v2.3) -user (not valid on v2.3) The filters for the "-r" can be: -level -group -rule (for a single rule id) -location -srcip -user If you want reports per single agents (or even single log files), you could do using the location field. Like: # Report for agent home-ubuntu cat /var/ossec/logs/alerts/alerts.log |/var/ossec/bin/ossec-reportd -f location home-ubuntu You could also provide more values to filter per agent per group (say authentication): # Report for authentication (failure or success) on agent home-ubuntu cat /var/ossec/logs/alerts/alerts.log |/var/ossec/bin/ossec-reportd -f location home-ubuntu -f group auth For single user reports, you can do: # Report on events from user dcid cat /var/ossec/logs/alerts/alerts.log |/home/dcid/dev/ossec-hids/src/monitord/ossec-reportd -f user dcid Hope that helps. -- Daniel B. Cid dcid ( at ) ossec.net On Wed, Dec 9, 2009 at 8:50 AM, wremes <[email protected]> wrote: > Hi, > > I've checked ossec.net but the documentation for ossec-reportd is > fairly old and non-exhaustive. > > While I can perform most of the reports and I've obtained a list of > existing groups by grepping the xml files in the rules directory, I > would need an overview of all possible -f and -r arguments. Does such > a list exist ? > > Examples : > how to create a report on one specific user > cat logfile | ossec-reportd -n "User" -f ??? -r ??? > how to create a report on one specific host > cat logfile | ossec-reportd -n "Host" -f ?? -r ??? > > Thanks in advance, > > Wim >
