Well the only product I've gotten that's useful for searching the logs is the WUI - at least the only one that "works" for me. And it meets all my needs.....
Maybe if there's a simple HOWTO to use something else that can run on the same system and doesn't require doubly storing all the logs and doesn't take GB and GB more RAM, I'd use it, but nothing meets those requirements where as the WUI does. It searches the existing OSSEC logfiles and compressed files. So not extra disk space. It doesn't require 32GB + RAM *just for the search* like the others I've looked into seem to (elastic search, greylog2)... So I think it's great, as long as it parses the logs correctly. -- James Pulver Information Technology Area Supervisor LEPP Computer Group Cornell University -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Thursday, October 20, 2011 2:07 PM To: [email protected] Subject: Re: [ossec-list] ossec-wui BUG What do people use the wui for? Maybe it'd be easier to create something new that does a subset of what the WUI does. Other products do the "log viewing" bit much better than WUI ever could, so working on that bit is silly. That pretty much leaves the syscheck db stuff. Anything else? On Thu, Oct 20, 2011 at 1:02 PM, James M Pulver <[email protected]> wrote: > Replying somewhat belatedly, I also would like to see the WUI updated to work > with 2.6 line of OSSEC. I'm not a programmer really though so I don't know > that I would be able to do much... But there is interest I think. > -- > James Pulver > Information Technology Area Supervisor > LEPP Computer Group > Cornell University > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Scott VR > Sent: Wednesday, September 14, 2011 10:29 AM > To: [email protected] > Cc: [email protected] > Subject: Re: [ossec-list] ossec-wui BUG > > Speaking for myself, it was not immediately obvious that the wui was a "dead" > project, though it is quickly obvious that it doesn't work as expected. > > Does the wui just need some development effort or is it in need of > full-fledfed adoption by someone to act as project manager? Is there a > project page describing its abandoned state that people are overlooking? I've > got some skill and cycles I'd put towards fixing the wui, but such effort > should probably be managed to avoid needless duplication of effort, etc. > > --ScottVR > > > > On Sep 14, 2011, at 9:06 AM, "dan (ddp)" <[email protected]> wrote: > >> Out of curiosity, why did you revert to an ancient version of OSSEC >> instead of fixing or replacing WUI (which has been a dead project for >> years)? >> >> On Wed, Sep 14, 2011 at 8:57 AM, Mike Disley >> <[email protected]> wrote: >>> I had the same issue when I upgraded to ver 2.6. I rolled back to 2.3 and >>> the problem went away. >>> >>> >>> -----Original Message----- >>> From: [email protected] [mailto:[email protected]] On >>> Behalf Of Alexander Rikmanis >>> Sent: Tuesday, September 13, 2011 8:28 PM >>> To: ossec-list >>> Subject: [ossec-list] ossec-wui BUG >>> >>> Log files are parsed incorrectly. >>> here is the raw log file from ossec and what wui shows to me: >>> ---------------------------------------------------------------------------------------------- >>> WUI: >>> 2011 Sep 14 10:10:13 Rule Id: 5501 level: 3 >>> Location: (manager) aa.bb.cc.dd->/var/log/secure Src IP: 8:10:14 takapu >>> sshd[10373]: pam_unix(sshd:session): session opened for user sw by (uid=0) >>> ^^^^^^^^^^^^^^^^^^^^^^^^ Login session opened. >>> ** Alert 1315951847.1022810: - pam,syslog,authentication_success, >>> 2011 Sep 14 10:10:47 (manager) aa.bb.cc.dd->/var/log/secure >>> Rule: 5501 (level 3) -> 'Login session opened.' >>> Sep 13 18:10:50 takapu su: pam_unix(su-l:session): session opened for user >>> root by sw(uid=1001) >>> ------------------------------------------------------------------------- >>> Raw log: >>> ** Alert 1315951813.1022534: - pam,syslog,authentication_success, >>> 2011 Sep 14 10:10:13 (manager) 67.225.152.209->/var/log/secure >>> Rule: 5501 (level 3) -> 'Login session opened.' >>> Sep 13 18:10:14 takapu sshd[10373]: pam_unix(sshd:session): session opened >>> for user sw by (uid=0) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Look at "Src IP" >>> field - there is a date there. And the first symbol is gone. >>> >>> here is the screenshot: [IMG]http://i52.tinypic.com/n1xn9i.png[/IMG] >>> >
