I don't think you'll be able to do it without modifying the source, or parsing the alerts.log file manually.
On Tue, Dec 7, 2010 at 12:44 PM, <[email protected]> wrote: > I would like to store all logs processed by ossec and all normalized fields > in my own data store. Is this possible without modifying the source code? > I thought perhaps I could use the active response system, but I'm not sure > all the information I need can be passed to that system. > > It supports MySQL and Postegres out of the box. What data goes in those > databases? Looking over the source code, I see the event struct (shown > below). Is there a way to get access to that information? > > Thanks, > Scott > > > > /* Event Information structure */ > typedef struct _Eventinfo > { > /* Extracted from the event */ > char *log; > char *full_log; > char *location; > char *hostname; > char *program_name; > > > /* Extracted from the decoders */ > char *srcip; > char *dstip; > char *srcport; > char *dstport; > char *protocol; > char *action; > char *srcuser; > char *dstuser; > char *id; > char *status; > char *command; > char *url; > char *data; > char *systemname; > > > /* Pointer to the rule that generated it */ > RuleInfo *generated_rule; > > /* Pointer to the decoder that matched */ > OSDecoderInfo *decoder_info; > > /* Sid node to delete */ > OSListNode *sid_node_to_delete; > > /* Extract when the event fires a rule */ > int size; > int p_name_size; > > > /* Other internal variables */ > short int matched; > > int time; > int day; > int year; > char hour[10]; > char mon[4]; > > /* SYSCHECK Results variables -- only used by prelude for now */ > #ifdef PRELUDE > char *filename; > int perm_before; > int perm_after; > char *md5_before; > char *md5_after; > char *sha1_before; > char *sha1_after; > char *size_before; > char *size_after; > char *owner_before; > char *owner_after; > char *gowner_before; > char *gowner_after; > #endif > }Eventinfo; > >
