Re: [ossec-list] ossec-reportd: How to get full Log dump in the report

[loyd. darby]

Check names of log files.  I know the redhat uses a different name for the auth log (secure?). I had to manually add log file names but it has been so long ago I forgot what changes I made and now I only have Ubuntu. On 12/14/2010 10:59 AM, Christopher Moraes wrote: Hi Dan, Yes, one server is running RHEL 5 and the other is running Ubuntu 10.10. I'm getting the full report (with the log dump) with ossec running on Ubuntu 10.10. On the RHEL 5 instance, I log in as a normal user (part of ossec group) and then run the ossec commands using sudo.  e.g. cat <alert file> | sudo ./ossec-reportd -f rule 100091 I get only the report summary on this server. On the Ubuntu instance I'm logging in as root and running the same command (except without using sudo) and I get the report with the summary and the full log dump. The alert file on both systems is the same (they are both test instances and I've used the same log dump to generate the alerts). Regards, Chris On Tue, Dec 14, 2010 at 9:26 AM, dan (ddp) <ddp...@gmail.com> wrote: Any difference between the servers? OS/version? On Mon, Dec 13, 2010 at 2:45 PM, Christopher Moraes <cmoraes....@gmail.com> wrote: > Hi, > I have two instances of ossec running of difference servers.  When I run > ossec-reportd on one, I get a report which contains summary stats as well as > a dump of the relevant alerts.  On the second server, reportd is only > generating the summary stats without a log dump. > Both instances are running ossec v2.5.1.  Reportd generates a summary > showing 8 matching alerts on both servers. > Is there a configuration option that controls whether Reportd generates the > log dump? > Regards, > Chris > -- R. Loyd Darby, OSSIM-OCSE Project Manager DOC/NOAA/NMFS Infrastructure coordinator Southeast Fisheries Science Center 305-361-4297