What about the output to database option? I haven't seen the db format or data, but it seems like it might be easy to write a simple web app to search the log data.
-Mike -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Thursday, October 20, 2011 3:12 PM To: [email protected] Subject: Re: [ossec-list] ossec-wui BUG On Thu, Oct 20, 2011 at 2:47 PM, James M Pulver <[email protected]> wrote: > Well the only product I've gotten that's useful for searching the logs is the > WUI - at least the only one that "works" for me. And it meets all my > needs..... > If it needs to be "updated to work with 2.6 line of OSSEC," is it really meeting all of your needs? > Maybe if there's a simple HOWTO to use something else that can run on the > same system and doesn't require doubly storing all the logs and doesn't take > GB and GB more RAM, I'd use it, but nothing meets those requirements where as > the WUI does. It searches the existing OSSEC logfiles and compressed files. > So not extra disk space. It doesn't require 32GB + RAM *just for the search* > like the others I've looked into seem to (elastic search, greylog2)... > I have something planned for the 3rd annual Week of OSSEC, but I can't guarantee ram usage. RAM is cheap, buy in bulk. > So I think it's great, as long as it parses the logs correctly. > We welcome patches. :) > -- > James Pulver > Information Technology Area Supervisor > LEPP Computer Group > Cornell University > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Thursday, October 20, 2011 2:07 PM > To: [email protected] > Subject: Re: [ossec-list] ossec-wui BUG > > What do people use the wui for? Maybe it'd be easier to create > something new that does a subset of what the WUI does. > Other products do the "log viewing" bit much better than WUI ever > could, so working on that bit is silly. That pretty much leaves the > syscheck db stuff. Anything else? > > On Thu, Oct 20, 2011 at 1:02 PM, James M Pulver <[email protected]> wrote: >> Replying somewhat belatedly, I also would like to see the WUI updated to >> work with 2.6 line of OSSEC. I'm not a programmer really though so I don't >> know that I would be able to do much... But there is interest I think. >> -- >> James Pulver >> Information Technology Area Supervisor >> LEPP Computer Group >> Cornell University >> >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On >> Behalf Of Scott VR >> Sent: Wednesday, September 14, 2011 10:29 AM >> To: [email protected] >> Cc: [email protected] >> Subject: Re: [ossec-list] ossec-wui BUG >> >> Speaking for myself, it was not immediately obvious that the wui was a >> "dead" project, though it is quickly obvious that it doesn't work as >> expected. >> >> Does the wui just need some development effort or is it in need of >> full-fledfed adoption by someone to act as project manager? Is there a >> project page describing its abandoned state that people are overlooking? >> I've got some skill and cycles I'd put towards fixing the wui, but such >> effort should probably be managed to avoid needless duplication of effort, >> etc. >> >> --ScottVR >> >> >> >> On Sep 14, 2011, at 9:06 AM, "dan (ddp)" <[email protected]> wrote: >> >>> Out of curiosity, why did you revert to an ancient version of OSSEC >>> instead of fixing or replacing WUI (which has been a dead project for >>> years)? >>> >>> On Wed, Sep 14, 2011 at 8:57 AM, Mike Disley >>> <[email protected]> wrote: >>>> I had the same issue when I upgraded to ver 2.6. I rolled back to 2.3 and >>>> the problem went away. >>>> >>>> >>>> -----Original Message----- >>>> From: [email protected] [mailto:[email protected]] On >>>> Behalf Of Alexander Rikmanis >>>> Sent: Tuesday, September 13, 2011 8:28 PM >>>> To: ossec-list >>>> Subject: [ossec-list] ossec-wui BUG >>>> >>>> Log files are parsed incorrectly. >>>> here is the raw log file from ossec and what wui shows to me: >>>> ---------------------------------------------------------------------------------------------- >>>> WUI: >>>> 2011 Sep 14 10:10:13 Rule Id: 5501 level: 3 >>>> Location: (manager) aa.bb.cc.dd->/var/log/secure Src IP: 8:10:14 takapu >>>> sshd[10373]: pam_unix(sshd:session): session opened for user sw by (uid=0) >>>> ^^^^^^^^^^^^^^^^^^^^^^^^ Login session opened. >>>> ** Alert 1315951847.1022810: - pam,syslog,authentication_success, >>>> 2011 Sep 14 10:10:47 (manager) aa.bb.cc.dd->/var/log/secure >>>> Rule: 5501 (level 3) -> 'Login session opened.' >>>> Sep 13 18:10:50 takapu su: pam_unix(su-l:session): session opened for user >>>> root by sw(uid=1001) >>>> ------------------------------------------------------------------------- >>>> Raw log: >>>> ** Alert 1315951813.1022534: - pam,syslog,authentication_success, >>>> 2011 Sep 14 10:10:13 (manager) 67.225.152.209->/var/log/secure >>>> Rule: 5501 (level 3) -> 'Login session opened.' >>>> Sep 13 18:10:14 takapu sshd[10373]: pam_unix(sshd:session): session opened >>>> for user sw by (uid=0) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Look at "Src IP" >>>> field - there is a date there. And the first symbol is gone. >>>> >>>> here is the screenshot: [IMG]http://i52.tinypic.com/n1xn9i.png[/IMG] >>>> >> >
