Yes, if you need all the information you need to modify the source. Take a look at prelude.c (inside src/analysisd), since it does that already and should be easy to modify for your own needs...
thanks, On Wed, Dec 8, 2010 at 11:19 AM, dan (ddp) <[email protected]> wrote: > I don't think you'll be able to do it without modifying the source, or > parsing the alerts.log file manually. > > On Tue, Dec 7, 2010 at 12:44 PM, <[email protected]> wrote: >> I would like to store all logs processed by ossec and all normalized fields >> in my own data store. Is this possible without modifying the source code? >> I thought perhaps I could use the active response system, but I'm not sure >> all the information I need can be passed to that system. >> >> It supports MySQL and Postegres out of the box. What data goes in those >> databases? Looking over the source code, I see the event struct (shown >> below). Is there a way to get access to that information? >> >> Thanks, >> Scott >> >> >> >> /* Event Information structure */ >> typedef struct _Eventinfo >> { >> /* Extracted from the event */ >> char *log; >> char *full_log; >> char *location; >> char *hostname; >> char *program_name; >> >> >> /* Extracted from the decoders */ >> char *srcip; >> char *dstip; >> char *srcport; >> char *dstport; >> char *protocol; >> char *action; >> char *srcuser; >> char *dstuser; >> char *id; >> char *status; >> char *command; >> char *url; >> char *data; >> char *systemname; >> >> >> /* Pointer to the rule that generated it */ >> RuleInfo *generated_rule; >> >> /* Pointer to the decoder that matched */ >> OSDecoderInfo *decoder_info; >> >> /* Sid node to delete */ >> OSListNode *sid_node_to_delete; >> >> /* Extract when the event fires a rule */ >> int size; >> int p_name_size; >> >> >> /* Other internal variables */ >> short int matched; >> >> int time; >> int day; >> int year; >> char hour[10]; >> char mon[4]; >> >> /* SYSCHECK Results variables -- only used by prelude for now */ >> #ifdef PRELUDE >> char *filename; >> int perm_before; >> int perm_after; >> char *md5_before; >> char *md5_after; >> char *sha1_before; >> char *sha1_after; >> char *size_before; >> char *size_after; >> char *owner_before; >> char *owner_after; >> char *gowner_before; >> char *gowner_after; >> #endif >> }Eventinfo; >> >> >
