On Thu, Nov 25, 2010 at 4:26 PM, Alessandro Di Giuseppe <a_di_giuse...@yahoo.com> wrote: > Hi all, > I would like to forward only some of OSSEC's alerts via syslog to a > commercial SIEM device, e.g., rootcheck and syscheck events; however I only > found documentation on filtering syslog by alert level. > Would there be a creative way, using local rules perhaps, to filter only > certain groups of alerts to forward by syslog? > Or maybe is this a feature request for D. Cid? ;-) > Thanks, > Alessandro >
This is probably "hack-ish," and definitely untested (by me at least). You could run rsyslog on the OSSEC manager (a second instance or whatever on loopback or a different port), and forward OSSEC alerts to that process. It looks like ( http://www.rsyslog.com/doc/rsyslog_conf_filter.html ) rsyslog lets you filter messages based on various criteria including the syslog message. Using that feature you might be able to get the selective forwarding you're looking for. I don't have a ossec-csyslogd example message handy to play with it or a way to test it at the moment, so no examples or possible configs at the moment.
