On Thu, Oct 20, 2011 at 3:19 PM, Culver, Michael <[email protected]> wrote: > What about the output to database option? I haven't seen the db format or > data, but it seems like it might be easy to write a simple web app to search > the log data. > > -Mike >
Are you volunteering? Again, why reinvent the wheel? Especially for Yet Another One-Shot WebApp? There are plenty of free (and non-free) log viewers that work very well. After seeing all of the work that's gone into them, I don't think I'd ever want to start trying to re-do that. > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Thursday, October 20, 2011 3:12 PM > To: [email protected] > Subject: Re: [ossec-list] ossec-wui BUG > > On Thu, Oct 20, 2011 at 2:47 PM, James M Pulver <[email protected]> wrote: >> Well the only product I've gotten that's useful for searching the logs is >> the WUI - at least the only one that "works" for me. And it meets all my >> needs..... >> > > If it needs to be "updated to work with 2.6 line of OSSEC," is it > really meeting all of your needs? > >> Maybe if there's a simple HOWTO to use something else that can run on the >> same system and doesn't require doubly storing all the logs and doesn't take >> GB and GB more RAM, I'd use it, but nothing meets those requirements where >> as the WUI does. It searches the existing OSSEC logfiles and compressed >> files. So not extra disk space. It doesn't require 32GB + RAM *just for the >> search* like the others I've looked into seem to (elastic search, >> greylog2)... >> > > I have something planned for the 3rd annual Week of OSSEC, but I can't > guarantee ram usage. RAM is cheap, buy in bulk. > >> So I think it's great, as long as it parses the logs correctly. >> > > We welcome patches. :) > >> -- >> James Pulver >> Information Technology Area Supervisor >> LEPP Computer Group >> Cornell University >> >> >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On >> Behalf Of dan (ddp) >> Sent: Thursday, October 20, 2011 2:07 PM >> To: [email protected] >> Subject: Re: [ossec-list] ossec-wui BUG >> >> What do people use the wui for? Maybe it'd be easier to create >> something new that does a subset of what the WUI does. >> Other products do the "log viewing" bit much better than WUI ever >> could, so working on that bit is silly. That pretty much leaves the >> syscheck db stuff. Anything else? >> >> On Thu, Oct 20, 2011 at 1:02 PM, James M Pulver <[email protected]> wrote: >>> Replying somewhat belatedly, I also would like to see the WUI updated to >>> work with 2.6 line of OSSEC. I'm not a programmer really though so I don't >>> know that I would be able to do much... But there is interest I think. >>> -- >>> James Pulver >>> Information Technology Area Supervisor >>> LEPP Computer Group >>> Cornell University >>> >>> -----Original Message----- >>> From: [email protected] [mailto:[email protected]] On >>> Behalf Of Scott VR >>> Sent: Wednesday, September 14, 2011 10:29 AM >>> To: [email protected] >>> Cc: [email protected] >>> Subject: Re: [ossec-list] ossec-wui BUG >>> >>> Speaking for myself, it was not immediately obvious that the wui was a >>> "dead" project, though it is quickly obvious that it doesn't work as >>> expected. >>> >>> Does the wui just need some development effort or is it in need of >>> full-fledfed adoption by someone to act as project manager? Is there a >>> project page describing its abandoned state that people are overlooking? >>> I've got some skill and cycles I'd put towards fixing the wui, but such >>> effort should probably be managed to avoid needless duplication of effort, >>> etc. >>> >>> --ScottVR >>> >>> >>> >>> On Sep 14, 2011, at 9:06 AM, "dan (ddp)" <[email protected]> wrote: >>> >>>> Out of curiosity, why did you revert to an ancient version of OSSEC >>>> instead of fixing or replacing WUI (which has been a dead project for >>>> years)? >>>> >>>> On Wed, Sep 14, 2011 at 8:57 AM, Mike Disley >>>> <[email protected]> wrote: >>>>> I had the same issue when I upgraded to ver 2.6. I rolled back to 2.3 >>>>> and the problem went away. >>>>> >>>>> >>>>> -----Original Message----- >>>>> From: [email protected] [mailto:[email protected]] On >>>>> Behalf Of Alexander Rikmanis >>>>> Sent: Tuesday, September 13, 2011 8:28 PM >>>>> To: ossec-list >>>>> Subject: [ossec-list] ossec-wui BUG >>>>> >>>>> Log files are parsed incorrectly. >>>>> here is the raw log file from ossec and what wui shows to me: >>>>> ---------------------------------------------------------------------------------------------- >>>>> WUI: >>>>> 2011 Sep 14 10:10:13 Rule Id: 5501 level: 3 >>>>> Location: (manager) aa.bb.cc.dd->/var/log/secure Src IP: 8:10:14 takapu >>>>> sshd[10373]: pam_unix(sshd:session): session opened for user sw by >>>>> (uid=0) ^^^^^^^^^^^^^^^^^^^^^^^^ Login session opened. >>>>> ** Alert 1315951847.1022810: - pam,syslog,authentication_success, >>>>> 2011 Sep 14 10:10:47 (manager) aa.bb.cc.dd->/var/log/secure >>>>> Rule: 5501 (level 3) -> 'Login session opened.' >>>>> Sep 13 18:10:50 takapu su: pam_unix(su-l:session): session opened for >>>>> user root by sw(uid=1001) >>>>> ------------------------------------------------------------------------- >>>>> Raw log: >>>>> ** Alert 1315951813.1022534: - pam,syslog,authentication_success, >>>>> 2011 Sep 14 10:10:13 (manager) 67.225.152.209->/var/log/secure >>>>> Rule: 5501 (level 3) -> 'Login session opened.' >>>>> Sep 13 18:10:14 takapu sshd[10373]: pam_unix(sshd:session): session >>>>> opened for user sw by (uid=0) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Look at >>>>> "Src IP" field - there is a date there. And the first symbol is gone. >>>>> >>>>> here is the screenshot: [IMG]http://i52.tinypic.com/n1xn9i.png[/IMG] >>>>> >>> >> > > >
