I'm saying I'm going to be devoting some time to it. -- James Pulver Information Technology Area Supervisor LEPP Computer Group Cornell University
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Friday, October 21, 2011 9:19 AM To: [email protected] Subject: Re: [ossec-list] ossec-wui BUG I'll have 1.5 things related to OSSEC log viewing coming out next week. I'm not trying to discourage anyone from working on the WUI, just offering a different opinion on it. I think it's a waste of time and resources. If you don't, you're more than welcome to work on it. If you can't code, find someone who can. Saying that other people devote time to it is silly. On Fri, Oct 21, 2011 at 8:51 AM, James M Pulver <[email protected]> wrote: > Well, implementing OSSEC is a big enough task IMO as a project - at least for > me. Like I said, I tried to use Logstash + elastic search, it crashed in the > "simple" version, so would have required more work. > > I'm not wedded to the WUI exactly, but OSSEC doesn't use a standard log > format. I'm going to look into whether it makes sense for us to patch the WUI > for 2.6 or to put effort into a project to implement another log viewer / > front end. But if it's going to require another server it's probably a no go > for me right now (budget issues etc). > > If OSSEC community want to suggest a plug and play replacement for the WUI > I'm ALL ears. But everything seems to require not just one, but a set of > interlocking components, some new parsing language or scripting to massage > the OSSEC log format, and potentially duplicate storage of the log > information, in OSSEC and in the log viewer. > > If I had some direction as to what OSS tool I should use to read the > collected OSSEC logs, I'm really interested, especially if there's a howto so > it's not another research project. > > Thanks, > > -- > James Pulver > Information Technology Area Supervisor > LEPP Computer Group > Cornell University > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Thursday, October 20, 2011 3:34 PM > To: [email protected] > Subject: Re: [ossec-list] ossec-wui BUG > > On Thu, Oct 20, 2011 at 3:19 PM, Culver, Michael <[email protected]> wrote: >> What about the output to database option? I haven't seen the db format or >> data, but it seems like it might be easy to write a simple web app to search >> the log data. >> >> -Mike >> > > Are you volunteering? > > Again, why reinvent the wheel? Especially for Yet Another One-Shot > WebApp? There are plenty of free (and non-free) log viewers that work > very well. After seeing all of the work that's gone into them, I don't > think I'd ever want to start trying to re-do that. > >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On >> Behalf Of dan (ddp) >> Sent: Thursday, October 20, 2011 3:12 PM >> To: [email protected] >> Subject: Re: [ossec-list] ossec-wui BUG >> >> On Thu, Oct 20, 2011 at 2:47 PM, James M Pulver <[email protected]> wrote: >>> Well the only product I've gotten that's useful for searching the logs is >>> the WUI - at least the only one that "works" for me. And it meets all my >>> needs..... >>> >> >> If it needs to be "updated to work with 2.6 line of OSSEC," is it >> really meeting all of your needs? >> >>> Maybe if there's a simple HOWTO to use something else that can run on the >>> same system and doesn't require doubly storing all the logs and doesn't >>> take GB and GB more RAM, I'd use it, but nothing meets those requirements >>> where as the WUI does. It searches the existing OSSEC logfiles and >>> compressed files. So not extra disk space. It doesn't require 32GB + RAM >>> *just for the search* like the others I've looked into seem to (elastic >>> search, greylog2)... >>> >> >> I have something planned for the 3rd annual Week of OSSEC, but I can't >> guarantee ram usage. RAM is cheap, buy in bulk. >> >>> So I think it's great, as long as it parses the logs correctly. >>> >> >> We welcome patches. :) >> >>> -- >>> James Pulver >>> Information Technology Area Supervisor >>> LEPP Computer Group >>> Cornell University >>> >>> >>> -----Original Message----- >>> From: [email protected] [mailto:[email protected]] On >>> Behalf Of dan (ddp) >>> Sent: Thursday, October 20, 2011 2:07 PM >>> To: [email protected] >>> Subject: Re: [ossec-list] ossec-wui BUG >>> >>> What do people use the wui for? Maybe it'd be easier to create >>> something new that does a subset of what the WUI does. >>> Other products do the "log viewing" bit much better than WUI ever >>> could, so working on that bit is silly. That pretty much leaves the >>> syscheck db stuff. Anything else? >>> >>> On Thu, Oct 20, 2011 at 1:02 PM, James M Pulver <[email protected]> wrote: >>>> Replying somewhat belatedly, I also would like to see the WUI updated to >>>> work with 2.6 line of OSSEC. I'm not a programmer really though so I don't >>>> know that I would be able to do much... But there is interest I think. >>>> -- >>>> James Pulver >>>> Information Technology Area Supervisor >>>> LEPP Computer Group >>>> Cornell University >>>> >>>> -----Original Message----- >>>> From: [email protected] [mailto:[email protected]] On >>>> Behalf Of Scott VR >>>> Sent: Wednesday, September 14, 2011 10:29 AM >>>> To: [email protected] >>>> Cc: [email protected] >>>> Subject: Re: [ossec-list] ossec-wui BUG >>>> >>>> Speaking for myself, it was not immediately obvious that the wui was a >>>> "dead" project, though it is quickly obvious that it doesn't work as >>>> expected. >>>> >>>> Does the wui just need some development effort or is it in need of >>>> full-fledfed adoption by someone to act as project manager? Is there a >>>> project page describing its abandoned state that people are overlooking? >>>> I've got some skill and cycles I'd put towards fixing the wui, but such >>>> effort should probably be managed to avoid needless duplication of effort, >>>> etc. >>>> >>>> --ScottVR >>>> >>>> >>>> >>>> On Sep 14, 2011, at 9:06 AM, "dan (ddp)" <[email protected]> wrote: >>>> >>>>> Out of curiosity, why did you revert to an ancient version of OSSEC >>>>> instead of fixing or replacing WUI (which has been a dead project for >>>>> years)? >>>>> >>>>> On Wed, Sep 14, 2011 at 8:57 AM, Mike Disley >>>>> <[email protected]> wrote: >>>>>> I had the same issue when I upgraded to ver 2.6. I rolled back to 2.3 >>>>>> and the problem went away. >>>>>> >>>>>> >>>>>> -----Original Message----- >>>>>> From: [email protected] [mailto:[email protected]] >>>>>> On Behalf Of Alexander Rikmanis >>>>>> Sent: Tuesday, September 13, 2011 8:28 PM >>>>>> To: ossec-list >>>>>> Subject: [ossec-list] ossec-wui BUG >>>>>> >>>>>> Log files are parsed incorrectly. >>>>>> here is the raw log file from ossec and what wui shows to me: >>>>>> ---------------------------------------------------------------------------------------------- >>>>>> WUI: >>>>>> 2011 Sep 14 10:10:13 Rule Id: 5501 level: 3 >>>>>> Location: (manager) aa.bb.cc.dd->/var/log/secure Src IP: 8:10:14 takapu >>>>>> sshd[10373]: pam_unix(sshd:session): session opened for user sw by >>>>>> (uid=0) ^^^^^^^^^^^^^^^^^^^^^^^^ Login session opened. >>>>>> ** Alert 1315951847.1022810: - pam,syslog,authentication_success, >>>>>> 2011 Sep 14 10:10:47 (manager) aa.bb.cc.dd->/var/log/secure >>>>>> Rule: 5501 (level 3) -> 'Login session opened.' >>>>>> Sep 13 18:10:50 takapu su: pam_unix(su-l:session): session opened for >>>>>> user root by sw(uid=1001) >>>>>> ------------------------------------------------------------------------- >>>>>> Raw log: >>>>>> ** Alert 1315951813.1022534: - pam,syslog,authentication_success, >>>>>> 2011 Sep 14 10:10:13 (manager) 67.225.152.209->/var/log/secure >>>>>> Rule: 5501 (level 3) -> 'Login session opened.' >>>>>> Sep 13 18:10:14 takapu sshd[10373]: pam_unix(sshd:session): session >>>>>> opened for user sw by (uid=0) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Look at >>>>>> "Src IP" field - there is a date there. And the first symbol is gone. >>>>>> >>>>>> here is the screenshot: [IMG]http://i52.tinypic.com/n1xn9i.png[/IMG] >>>>>> >>>> >>> >> >> >> >
