I would like to store all logs processed by ossec and all normalized
fields in my own data store. Is this possible without modifying the
source code? I thought perhaps I could use the active response system,
but I'm not sure all the information I need can be passed to that
system.
It supports MySQL and Postegres out of the box. What data goes in those
databases? Looking over the source code, I see the event struct (shown
below). Is there a way to get access to that information?
Thanks,
Scott
/* Event Information structure */
typedef struct _Eventinfo
{
/* Extracted from the event */
char *log;
char *full_log;
char *location;
char *hostname;
char *program_name;
/* Extracted from the decoders */
char *srcip;
char *dstip;
char *srcport;
char *dstport;
char *protocol;
char *action;
char *srcuser;
char *dstuser;
char *id;
char *status;
char *command;
char *url;
char *data;
char *systemname;
/* Pointer to the rule that generated it */
RuleInfo *generated_rule;
/* Pointer to the decoder that matched */
OSDecoderInfo *decoder_info;
/* Sid node to delete */
OSListNode *sid_node_to_delete;
/* Extract when the event fires a rule */
int size;
int p_name_size;
/* Other internal variables */
short int matched;
int time;
int day;
int year;
char hour[10];
char mon[4];
/* SYSCHECK Results variables -- only used by prelude for now */
#ifdef PRELUDE
char *filename;
int perm_before;
int perm_after;
char *md5_before;
char *md5_after;
char *sha1_before;
char *sha1_after;
char *size_before;
char *size_after;
char *owner_before;
char *owner_after;
char *gowner_before;
char *gowner_after;
#endif
}Eventinfo;
